Everything in life involves some sort of risk and running a business is no exception. For every objective a company aims to achieve, there are things that can go wrong to stall – or even set back – progress. Collectively, these obstacles are known as “inherent risk.”
In this piece, we’ll dive into what inherent risk is, and why it’s essential to understand from a risk management perspective. We’ll also provide a framework to help you determine what is an inherent risk for a business, and explain options for minimizing the danger inherent risk poses.
We’ll start with an inherent risk definition applicable to general risk management.
Inherent risk refers to how probable an adverse event is to happen, and how severe it’s likely to be when performing a process or activity without risk management. It also sometimes refers to what these probabilities are under current risk controls, if planning to implement new ones.
A more specific definition of inherent risk in banking refers to how likely a financial statement is to contain inaccuracies because a piece of information was either entered incorrectly or left off entirely. This can be related to fraud because it could sometimes be done intentionally.
For the purpose of this piece, however, we’ll be focusing on inherent risk in a more general risk management context.
Related to the concept of inherent risk is residual risk. This is the probability of an adverse event, and its likely severity, in a process or activity after risk management controls are taken into account.
Again, this could be the difference between a hypothetical total lack of risk management and a scenario under current risk management controls. Or it could be a measure of what risk remains when transitioning from a pre-existing set of risk management controls to a new one.
In short, comparing inherent risk vs. residual risk gives a business a general measurement of how effective its risk management program is.
Inherent risk is crucial because it serves as a baseline assessment of all the possible obstacles a business may face in attempting to achieve its objectives. It’s like a prioritized “to-do” list for risk management teams. It serves as a way for them to assess what risks can or can’t be controlled, and how much can be done to manage the controllable ones.
Inherent risk assessment usually looks at four general dimensions:
Breaking these down further, some common inherent risk examples are:
Once a business has done inherent risk analysis, the next step is to figure out how to lower the likelihood and impact of the identified risks. We’ll discuss that in the next section.
Generally speaking, there are four different options for how to reduce inherent risk.
A simple but effective way to reduce inherent risk is to ask if the activity or process it’s associated with is necessary for the business to operate. Or at least ask if there are alternative ways to carry out a process or activity that don’t pose as much risk. Examples include:
The most common way to minimize inherent risk is to use methods for controlling it. These controls typically fall into one of two categories: preventative and detective.
Preventative controls are used to lower the chance of a risk factor causing a problem in the first place. Examples include screening clients and partners for risks at onboarding; requiring authorization for sensitive operations or data; and delegating duties appropriately, so no single employee poses too much risk by being responsible for too many facets of a business.
Detective controls are meant to identify when a risk factor has caused a problem so that risk management teams can act quickly to lessen its impact. These are things like AML monitoring and fraud detection solutions.
Though not exactly a way to reduce inherent risk, a way to lessen the impact should something go wrong is to transfer the financial and legal liability to someone else. The most common example of this is having adequate insurance.
Not all inherent risks can be controlled or otherwise avoided. But risk management teams should still make every effort to make their business leaders aware of these risks. Not only that, but they should also formally outline and document the potential pros and cons of accepting these risks. This will allow leadership to make informed decisions on whether or not to proceed with a process or activity despite the risks.
One more thing to bear in mind is that having too many controls can decrease an organization’s productivity to the point that it outweighs the usefulness of avoiding risk. So the goal should be to implement controls that efficiently handle the most likely and impactful inherent risks, to the point where residual risk is below an acceptable threshold.
Unit21’s risk management solution combines data monitoring and case management into an efficient all-in-one system. Book a demo today to see it in action.