Inherent vs. Residual Risk, and How To Manage Them

In recent years, organizations have spent a tremendous amount of effort shifting to the cloud, enhancing their digital infrastructures, and improving data accessibility. The pandemic accelerated the transition to remote work, increasing reliance on cloud data storage, 60% of all corporate data stored in the cloud, as of 2023. However, this shift has exposed organizations to new threats and magnified existing inherent risks and residual risks. Confidential data, once securely confined within company premises, is now stored online through cloud computing providers and accessible to employees working remotely. This raises a critical question: could this confidential data also be accessible to cybercriminals?

This new era of remote work comes with its own set of risks. Risk, in general, can be defined as a situation involving exposure to danger. Risk is inherent in nature. Risk is an innate part of life, and we make decisions in each moment of each day to avoid risks and remain safe. When walking across the street we look both ways, we put on a seat belt when we get in the car, we are aware of hot coffee when a child comes near – risks are all around us, and avoiding them is second nature.

What we are not as accustomed to in daily life is avoiding risks online. According to recent studies, a cybercrime takes place every 39 seconds, with ever-evolving tricks and techniques. These numbers suggest that the risks an organization faces at any point in time are also evolving.

Inherent vs Residual Risk cybercrime stat

Organizations can categorize these risks into two main types: Inherent Risk and Residual Risk.

What Is Inherent Risk?

The simplest and most widely used definition of inherent risk is risk without any applied security controls. For example, imagine a retail organization that has never trained its employees against social engineering attacks. If a social engineering attack happens in this scenario, it will be due to the inherent risk that exists because of a lack of proper training. The possibilities of risks are endless in the absence of appropriate security controls.

The good news is that inherent risks are avoidable!

Most of the risk can be mitigated by applying appropriate security controls. The survival and safety of your organization depend upon the information security measures it takes. The inherent risk is the foundation on which an organization designs its security policies and procedures. It must be assessed correctly to ensure the security of private information.

In the previously discussed scenario, you can mitigate the risk by carrying out annual awareness training for your employees. Another way to protect against the risk of social engineering attacks would be to train employees how to protect themselves during the onboarding process of new recruits.

That's it? That is doable!

If only that was the end of the story. Unfortunately, protecting ourselves against risks will not make us risk-proof. There is another type of risk that you should be aware of which is a tad bit more stubborn than the former. That is the Residual Risk.

What Is Residual Risk?

The residual risk is defined as the leftover risk after the mitigating controls have been applied to minimize the inherent risk. It can be calculated using the following formula:

Residual Risk = Inherent Risk – Impact of applied controls

Mitigating risks completely is challenging. For example, wearing a seatbelt mitigates the inherent risk associated with vehicular transportation, but it does not entirely eliminate the possibility of injury in an accident—this is the residual risk.

Residual risk is what remains after risk treatment has been carried out. Depending on the likelihood and impact of this risk, an organization may choose to treat, avoid, transfer, or accept it. For example, even if a company conducts regular phishing awareness training for its employees, residual risk persists. An employee might miss the training, not pay attention, or inadvertently fall victim to an attack.

The first step in the risk management process is to assess and identify all existing inherent risks to your business. Once identified, these risks should be categorized based on their impact on the business, and unacceptable risks should be treated by applying controls. The remaining risk after this process is the residual risk.

Why is Residual Risk Important?

ISO-27001 mandates residual risk mitigation as a cri tical component of the risk management process. For compliance, organizations must monitor their residual risks, which help the security and audit teams determine whether the applied treatment plans are effective. The best practice is to set a threshold for risk appetite, which defines the acceptable level of risk that the organization can bear without affecting business operations. The goal is to keep the residual risk within this threshold.

Risk management is an ongoing cycle. It begins with identifying inherent risks, which are then mitigated through control measures. The resulting residual risk is assessed to determine if it falls below the acceptable threshold.

If not, the cycle repeats until the risk is brought within acceptable levels. The concept of inherent risk, along with control risk and detection risk, plays a crucial role in this process. Financial reporting, internal controls, and audit procedures are essential in maintaining this balance.

Risk Management Outcomes

Identifying residual risk is not enough, one must have a plan to address all the possible outcomes of this complex process. A strategic roadmap to risk management is a document that lists key elements of the risk management process, the possible outcomes of which can be categorized as:

Risk Tolerance: Organizations must determine their level of risk tolerance, below which all risks are considered acceptable. Accurate assessment of inherent risk factors is key to effective risk management.
No Action Required: If the residual risk is below the risk tolerance threshold, no further action is needed.
Additional Mitigation Techniques: Often, residual risk will exceed the risk tolerance threshold, requiring additional controls. This involves reassessing inherent risk and devising a new treatment plan.
Re-evaluation of Risk: Risk management is iterative. Each time residual risk exceeds the acceptable threshold, reassessment is needed to determine the effectiveness of the applied controls.
Cost Analysis: When residual risk cannot be reduced below a certain point, a cost analysis is necessary to determine if the cost of further controls outweighs the potential impact of the risk.
Documentation and Reports: Documenting all risk management activities and outcomes is crucial for compliance and audit purposes.

Final Words

In sum, a well-thought-out plan of action can help your risk team sail through the toughest of times. The art of Risk Management is neither to over-estimate nor under-estimate the organization’s toleration of risk. Only properly conducted assessments will lead you towards successful endeavors.

As risks continue to evolve, organizations must continually reassess their security structures to stay ahead. To stay on top of new and ever-evolving risks that may arise, you will need all the help you can get to stay on top of your organization’s current security structure.