What is the difference between Inherent and Residual Risk?

What is the difference between Inherent and Residual Risk?


August 31, 2021

For many firms, their risk assessment process including an assessment of Inherent and Residual Risk. Inherent Risk is the level of risk before controls have been applied and Residual Risk is the level of risk after controls have been applied.

Inherent Risk should be assessed as part of the definition of a risk and is re-assessed after a risk event occurs if the root cause analysis of the event generates new insights or knowledge that cast doubt on the current Inherent Risk assessment.  

For example, the delivery of a major initiative, the implementation of major new system or similar transformation change should lead to a re-assessment of the Inherent Risk.

Residual Risk is assessed on a continuous basis, either on a pre-defined frequency and/or as a result of a risk event occurring.  The purpose of this continuous assessment approach is to ensure an accurate understanding of the current level of risk (post controls) is maintained. Residual Risk is the level of actual risk that is being run and should be updated on a real-time or near real-time basis.

For example, a firm may have a risk ‘E-commence website is unavailable’ within their Risk Register. Using the table below, they assess the level of Inherent Likelihood to be ‘Likely’ as historically they know they have had incidents where their site was unavailable every month. However, as they implemented a series of controls to improve the performance of the servers and networking which supports the website; they assess the Residual likelihood to be Possible. Every month or immediately after an incident, the Residual Risk is reviewed and reassessed.


Over time, the value of transactions via the website grow significantly, as does the impact of the site being unavailable increases due to missed sales when the site goes down. Therefore, a major new initiative is undertaken to move the site from the internally hosted server farm to a leading SaaS cloud provider.

Once this initiative is completed and the site has been moved, the risk should be reassessed from both an Inherent and Residual risk perspective to reflect the change in the website operating environment i.e. it is no longer using from an in-house server farm, rather it is running from on a commercial cloud infrastructure. This will have a significantly different risk profile.

The reassessed Inherent risk assessment should reflect the new operating environment, and the reassessed Residual risk assessment should reflect the controls in place.