The Inherent Risk Fallacy
“The concept of “inherent risk” is impossible to measure or even define. The idea of looking at risk absent of all hard controls, soft controls or mitigations provides little or no useful information in most cases.” Todd Perkins
Lately I have seen a resurgence in the use of the term “inherent risk” and it has annoyed me enough to write this article. Just like Todd, I do not believe that inherent risk provides any information that adds value to the process of risk assessment.
Risky Thinking defines Inherent Risk as the risk that exists when no controls have been put in place.
So let’s think about this rationally – how do we actually assess a risk as if it was in an environment void of controls – in fact, why would we want to assess a risk as if it was in an environment void of controls. The answer (apparently) – is to determine the effectiveness of the current control environment.
Confused? Okay – let’s simplify it a bit.
Imagine the identified event is: Corrupt behaviour by a Council official in relation to the approval of development applications. If we were to travel back to a point in time where there were no internal controls around development applications we would have to assess the likelihood as at least Possible, if not Likely with consequences that are expected to be Major or Severe. To that end, the risk level without controls would, in all probability, be High.
After we have finished this assessment, we identify the controls we currently have in place and then assess the risk again. This time we assess the likelihood as Unlikely (usually without any evidence), but the consequences if the event does occur are still likely to be Major or Severe. To that end, the risk level with controls would in all likelihood be Medium.
But herein lies the fallacy – those assessing the risk make the assumption that because in its uncontrolled state the risk level was High and in its controlled state the risk level is Medium, the control environment is effective and because of this the risk has been reduced to the assessed level. This is a myth – and one that needs to be shattered.
Put simply – the only true way to assess the effectiveness of the control environment is to measure it against pre-determined performance measures.
When identifying our risk we need to determine the event itself, the causes, the consequences and the controls that are already in place. Once identified, we need to determine the effectiveness of these controls. This is not as simple as making a judgement – there needs to be evidence of its effectiveness.
I have been in workshops where I have asked – “how effective is that control?” The answer invariably is: “it is effective”. When I ask how they know that they say “well nothing has happened”. This too is a fallacy. The absence of incident does not necessarily indicate the effectiveness of a control – it may just mean you have been lucky!!!!
The only true way to know whether your controls are effective requires significant effort, particularly when establishing the controls. Each one needs: a control owner, measures of effectiveness/performance measures, and monitor and review requirements. Without these, the organisation has absolutely no idea whatsoever as to the effectiveness of the control.
I can assure you, using inherent risk where you are guessing what the level of risk would be without controls and then comparing that against the current control environment – which in essence has also been a guess – to determine how effective the current controls are gives you some idea as to why inherent risk is a fallacy.
To me, organisations should focus on two levels:
- Current Level of risk, which assesses the level of risk with the current controls in place (with evidence of their effectiveness); and
- Target/Residual Level of Risk. The level of risk after:
- Current controls have been brought to a state of effectiveness; and (if required)
- Additional treatments have been developed, implemented and measured for effectiveness.
Not only is inherent risk a fallacy – it is completely unnecessary. All we want to know is what the risk level is now and what level we want to get it to – it’s as simple as that.
So the next time a consultant or someone in your organisation insists on assessing the inherent level of the risk then please show them this article – it will save you a lot of time and some unnecessary work that only leads to confusion anyway.