Inherent Risk

Inherent risk refers to how probable an adverse event is to happen, and how severe it’s likely to be when performing a process or activity without risk management. It also sometimes refers to what these probabilities are under current risk controls, if planning to implement new ones.

‍

A more specific definition of inherent risk in banking refers to how likely a financial statement is to contain inaccuracies because a piece of information was either entered incorrectly or left off entirely. This can be related to fraud because it could sometimes be done intentionally.

‍

It's also an instrumental factor for risk management in banking.

‍

For the purpose of this piece, however, we’ll be focusing on inherent risk in a more general risk management context.

‍

‍

Inherent Risk vs. Residual Risk

Related to the concept of inherent risk is residual risk. This is the probability of an adverse event, and its likely severity, in a process or activity after risk management controls are taken into account.

‍

Again, this could be the difference between a hypothetical total lack of risk management and a scenario under current risk management controls. Or it could be a measure of what risk remains when transitioning from a pre-existing set of risk management controls to a new one.

‍

In short, comparing inherent risk vs. residual risk gives a business a general measurement of how effective its risk management program is.

‍

Inherent risk is crucial because it serves as a baseline assessment of all the possible obstacles a business may face in attempting to achieve its objectives. It’s like a prioritized “to-do” list for risk management teams. It serves as a way for them to assess what risks can or can’t be controlled, and how much can be done to manage the controllable ones.

‍

Inherent risk assessment usually looks at four general dimensions:

‍

• Origin – Where is the risk coming from?
• Nature – Why does a particular factor pose a risk to the business?
• Likelihood – How probable is it that a risk factor will cause a problem for the business?
• Impact – If a risk factor causes a problem, how detrimental would it be to the business?

‍

Breaking these down further, some common inherent risk examples are:

‍

• Business routines: How does a company conduct its daily business, and how able is it to adapt to changing circumstances?
  ‍
• Data processing: How efficient is a company’s IT infrastructure at moving, analyzing, and securely storing data?
  ‍
• Operations complexity: How complicated are the transactions and processes a business usually engages in?
  ‍
• Management engagement: How involved is management in daily operations that they would be able to identify errors and inefficiencies?
  ‍
• Management integrity: How ethical are management’s business practices, and how well does the company meet its regulatory compliance obligations?
  ‍
• Audit integrity: How accurately were previous audits in identifying issues?
  ‍
• Transactions among related parties: How often does a company risk conflicts of interest by initiating or facilitating transactions between related parties?

‍

Once a business has done inherent risk analysis, the next step is to figure out how to lower the likelihood and impact of the identified risks. We’ll discuss that in the next section.

‍

Generally speaking, there are four different options for how to reduce inherent risk.

‍

‍

1. Avoid Unnecessary Risk by Finding Alternatives

A simple but effective way to reduce inherent risk is to ask if the activity or process it’s associated with is necessary for the business to operate. Or at least ask if there are alternative ways to carry out a process or activity that don’t pose as much risk. Examples include:

‍

• Using more secure communication systems
• Limiting the information or access given to outside parties
• Training employees on how to identify and avoid unnecessary risks

‍

‍

2. Mitigate Risk by Implementing Controls

The most common way to minimize inherent risk is to use methods for controlling it. These controls typically fall into one of two categories: preventative and detective.

‍

Preventative controls are used to lower the chance of a risk factor causing a problem in the first place. Examples include screening clients and partners for risks at onboarding; requiring authorization for sensitive operations or data; and delegating duties appropriately, so no single employee poses too much risk by being responsible for too many facets of a business.

‍

Detective controls are meant to identify when a risk factor has caused a problem so that risk management teams can act quickly to lessen its impact. These are things like AML monitoring and fraud detection solutions.

‍

‍

3. Delegate Liability for Risk to Another Party

Though not exactly a way to reduce inherent risk, a way to lessen the impact should something go wrong is to transfer the financial and legal liability to someone else. The most common example of this is having adequate insurance.

‍

‍

4. Accept Risk, But Have Solid Justification for Doing So

Not all inherent risks can be controlled or otherwise avoided. But risk management teams should still make every effort to make their business leaders aware of these risks. Not only that, but they should also formally outline and document the potential pros and cons of accepting these risks. This will allow leadership to make informed decisions on whether or not to proceed with a process or activity despite the risks.

‍

‍

One more thing to bear in mind is that having too many controls can decrease an organization’s productivity to the point that it outweighs the usefulness of avoiding risk. So the goal should be to implement controls that efficiently handle the most likely and impactful inherent risks, to the point where residual risk is below an acceptable threshold.

‍

‍Unit21’s risk management solution combines data monitoring and case management into an efficient all-in-one system. Book a demo today to see it in action.

‍

‍