Acknowledging that there was a lot of misunderstanding about residual risk, Mr. Ramesh Pillai (Chairman of Board of Governors, Institute of Enterprise Risk Practitioners) first clarified the differences between Residual and Inherent risk.
Residual risk, he explained, is used in Risk and Control Self-Assessment (RCSA), and is also alluded to in Risk Registers. Primarily related to operational risk, residual risk is usually measured when a firm wants to do business in a known hotspot, for instance, and needs to assess how much risk its project may be exposed to, and whether the firm’s risk appetite could support it.
To assess or not to assess
“When you evaluate anything, you need to evaluate the control environment as well,” explained Mr Ramesh. Therefore, it is worthwhile assessing residual risk if the firm is assessing controls because controls are mitigative measures. However, some firms tend to get distracted when conducting risk analysis, and end up attributing too much importance to terms like “inherent risk,” becoming overly concerned about what it represents within their context.
Remarking that firms like these cannot get comfortable with the current state of their control environment without having a firm grasp on the assessed inherent risk for that scenario, he attributed it to the way they conducted risk assessments before. “Their first step was to identify the inherent risk, then factor in controls to arrive at residual risk,” he said, clarifying that while inherent risk represented the amount of risk that existed in the absence of controls, residual risk, on the other hand, was the amount of risk remaining after controls are accounted for.
However, while the definition of the two terms appear fairly straightforward, their practice does give rise to some challenges; in particular, when closer scrutiny of the “no controls environment” pertaining to inherent risk brings to light that controls did exist in the environment, and only some had been excluded. “The flaw with inherent risk is that in most cases, it does not explicitly consider which controls are being included or excluded,” Mr Ramesh said.
“In a truly inherent risk state, for example, there would be no employee background checks or interviews, and no locks on doors for security. This could lead to all risk scenarios being evaluated as inherently high.”
Understanding what you need
It could also lead to the arbitrary treatment of inherent risk, so a more realistic and useful definition of inherent risk would be the current risk level, given the existing set of controls, rather than an absence of controls. That would make residual risk the risk level remaining, after additional controls are applied. Clarifying the two terms in this way helps to dispel the ambiguity of the “no controls” notion of inherent risk. Controls tend to be factored in for any scenario, regardless of the kind of risk which is connected to it.
It is usual industrial practice when measuring current risk levels for a given scenario, to factor controls into either the frequency or magnitude aspects. These are normally based on things like avoidance, deterrence or methods of response and other mitigative measures. “Doing this allows you to be more intentional when choosing controls,” Mr Ramesh said.
“You can choose to include or exclude certain controls from your analysis, depending on what works and what doesn’t.”
It’s in the controls
Residual risk and inherent risk are two different things but have similarities in some areas. Inherent and residual risk are connected in that inherent risk, less the effect of controls, equals residual risk. This implies that residual risk will always be less than or equal to inherent risk. However, there are instances where residual risk can be higher. This depends on the controls used to modify the risks. “Control” is defined as a specific action taken to reduce either the likelihood of the risk occurring, and/or the consequences of the risk occurring. This implies that residual risk must be less than inherent risk.
However, ISO 31000 has a slightly different perspective of control, defining it as a “measure that is modifying risk” without the implication that it is always reduces the risk. In the business environment, some companies may actually choose to have higher residual risk because higher risk means higher returns. Higher operational risk may not be good, but Enterprise Risk Management (ERM) allows the firm to raise its risk to levels according it is comfortable with. “It is worth thinking about raising residual risk if you are assessing controls,” advised Mr Ramesh.
“But it takes time and a lot of data – at least three years’ worth of clean data.”
Conclusion
The main challenge for companies choosing to measure residual risk is how to measure it accurately for maximum benefit. But even the best efforts may be only arbitrary, Mr Ramesh cautioned. “Even financial institutions do it arbitrarily,” he said, adding that while analysis could be numerical, strategy rarely was; even “near miss” scenarios – the incidents caught and mitigated at the last minute – could give an inkling of what a company’s inherent risks could be. At the end of the day, it comes down to risk assessment. He cautioned that with the MACC’s directive to follow ISO 37001, firms should start immediately on their respective gap analyses, in order to meet the deadline of June 2020.
While mitigative measures do need to be put in place to keep residual risk low, companies have to run cost-benefit analyses to determine if the returns will be worthwhile. They may find that there is no need to measure residual risk as this takes time, effort and resources. Mr Ramesh opined that there was not very much value in measuring residual risk although an assessment should be made. “There is no need to measure residual risk unless you are asked to do it,” he concluded. “It adds no value, but if the Board is pressing for it, it may be an indication that the Board needs to be educated!”
