Inherent vs. Residual Risk, and How To Manage Them

inherent vs residual risk - blog header

In recent years, organizations have spent a tremendous amount of effort shifting to the cloud, improving their digital infrastructures, and making data more accessible. The pandemic has fast-tracked the shift to working from home, which has increased the use of cloud data storage. This shift has exposed organizations to new threats and magnified existing inherent and residual risks. The confidential data that at one time did not physically leave the company premises is now being stored on the internet through a cloud computing provider, accessible to organization members from the comfort of their homes. This begs the question, could such confidential data also be accessible to cybercriminals?  

This new era of remote work comes with its own set of risks. Risk, in general, can be defined as a situation involving exposure to danger. Risk is inherent in nature. Risk is an innate part of life, and we make decisions in each moment of each day to avoid risks and remain safe. When walking across the street we look both ways, we put on a seat belt when we get in the car, we are aware of hot coffee when a child comes near – risks are all around us, and avoiding them is second nature.

What we are not as accustomed to in daily life is avoiding risks online. According to recent studies, a cybercrime takes place every 39 seconds with ever-evolving tricks and techniques. These numbers suggest that the risks an organization faces at any point in time are also evolving. However, we can categorize them into two main groups, Inherent Risk and Residual Risk.

What Is Inherent Risk?

The simplest and most widely used definition of inherent risk is risk without any applied security controls. For example, imagine a retail organization that has never trained its employees against social engineering attacks. If a social engineering attack happens in this scenario, it will be due to the inherent risk that exists because of a lack of proper training. The possibilities of risks are endless in the absence of appropriate security controls.

The good news is that inherent risks are avoidable!

Most of the risk can be mitigated by applying appropriate security controls. The survival and safety of your organization depend upon the information security measures it takes. The inherent risk is the foundation on which an organization designs its security policies and procedures. It must be assessed correctly to ensure the security of private information.

In the previously discussed scenario, you can mitigate the risk by carrying out annual awareness training for your employees. Another way to protect against the risk of social engineering attacks would be to train employees how to protect themselves during the onboarding process of new recruits.

That’s it? That is doable!

If only that was the end of the story. Unfortunately, protecting ourselves against risks will not make us risk-proof. There is another type of risk that you should be aware of which is a tad bit more stubborn than the former. That is the Residual Risk.

What Is Residual Risk?

The residual risk is defined as the leftover risk after the mitigating controls have been applied to minimize the inherent risk. It can be derived from the inherent risk using the following mathematical expression:

Residual Risk = Inherent Risk – Impact of applied controls

The fact of the matter is that it is very hard to minimize, let alone eliminate risk. Putting on your seatbelt before a commute is a great way to protect yourself against the inherent risk of vehicular transportation, but it does not completely guarantee safety. There is always the residual risk of getting hurt in an accident, even though it is unlikely.

Residual risk is what remains after risk treatment has been carried out. According to the likelihood and impact of the risk, you may want to either treat, avoid, transfer, or accept it. For example, a company conducts regular awareness training for its employees to reduce the risk of falling victim to phishing attacks, but the residual risk remains. An employee might have missed the training, not paid attention, or could absentmindedly fall prey to such attacks.  

The first step in the risk management process is to assess and identify all the existing (inherent) risks to your business. Next, categorize them based on their business impact and treat the ones that are unacceptable by applying controls. The leftover risk at the end of this process is what is known as the residual risk.

Why is it important?

ISO-27001 has made residual risk mitigation a vital part of the Risk Management process. For compliance, you must monitor the organization’s residual risks. It tells the security/audit team whether the devised treatment plan was sufficient or not. The best practice is to set a threshold for risk appetite, which defines the acceptable level of risk that an organization can take on without impacting the business. After setting the threshold, the objective is to keep the residual risk under this level.

Risk management is a cycle, where you start with identifying inherent risks and mitigating them by applying controls. You obtain the residual risk after the treatment plan. Then you must check if it is below the threshold, and if not then the cycle repeats until it is below the defined threshold. The information security team must carefully define the threshold as the organization has to balance the residual risk for the lifetime of the business. Therefore, the threshold must be something that can be absorbed without a loss.

Risk Management Outcomes 

Identifying residual risk is not enough, one must have a plan to address all the possible outcomes of this complex process. A strategic roadmap to risk management is a document that lists key elements of the risk management process, the possible outcomes of which can be categorized as:

Risk Tolerance: – Every organization has a level of tolerance below which all risk is acceptable. The key to good risk management lies in the correct assessment of the organization’s risk tolerance.

No Action Required: – If the residual risk is below the risk tolerance threshold, no further action is needed.

Additional Mitigation Techniques: – Most of the time, the residual risk will be greater than the risk tolerance threshold. This will require brainstorming new ideas to come up with additional mitigation techniques to reduce the residual risk. This stage involves the reassessment of risk and a new treatment plan.

Re-evaluation of Risk: – The process of risk management can be repetitive. The evaluation of risk is itself a major task, but each time the residual risk is greater than the risk tolerance threshold, re-evaluation is required. As mentioned before, risk management is a cycle that only breaks when the risk falls below the acceptable risk threshold.

Cost Analysis: – Many times, you may find yourself in a situation where the residual risk cannot be decreased below a certain point and is still higher than the acceptable risk. A thorough cost analysis must be conducted at this point to see if the cost of applying more controls is higher than the impact of the risk.

In sum, a well-thought-out plan of action can help your risk team sail through the toughest of times. The art of Risk Management is neither to over-estimate nor under-estimate the organization’s toleration of risk. Only properly conducted assessments will lead you towards successful endeavours.

Risk Management is a continuous process, involving constant re-evaluation. To stay ahead of new and ever-evolving risks that may arise, you will need all the help you can get to stay on top of your organization’s current security structure. This is where we can support you with our enterprise-capable GRC management software. Our solutions are focused to provide seamless and automated solutions for tech-based SMBs. Reach out to our team to learn more!