Why incorporate “Inherent” risk in conducting risk assessments?

Mainstream definitions generally consider inherent risk as the level of risk that exists where zero controls have been applied (i.e. in its native/untreated state).

But is that ever really possible? Is there ever a reasonable situation/case where a risk does not already have some form of control applied? From a security perspective, this would not seem to be the case, especially when one considers risk from an asset-based perspective (i.e. risk management is about securing assets, because without an asset, there can be no risk). You could extend that thinking to suggest that there can also be no risk in the absence of a threat (or a hazard if you are focused on safety). But that is another article in its own right.

The ISO 31000 Perspective

Although it is a scope-agnostic, the Committee(s) who developed ISO 31000:2018 – Risk management did not think inherent risk was warranted in the overarching risk standard. Nowhere in that document is the word inherent mentioned. Neither was it canvassed in its predecessor, ISO 31000:2009. That in itself says alot.

Given that most risk involves humans somewhere in the equation, the consideration of risk must surely consider the nature of people. Most have some degree of common sense (cue the comments around there being a regular lack of commonsense in some decision-making quarters)/training/experience, or at least “inherent” instinct; those who do not would quite probably have someone caring for them, or another form of control to protect them .


Image: Inherent versus Current Risk

Who Considers Inherent Risk?

One example where inherent risk is applied, is in the auditing discipline. For example, the Public Company Accounting Oversight Board (PCAOB) states that [1]:

“Risk of material misstatement at the assertion level consists of the following components:

  1. Inherent risk, which refers to the susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls….”

Australia’s Auditing Standard AUS 402 [2], which was issued by the Australian Accounting Research Foundation, takes a lead from this, and similarly considers inherent risk “…the susceptibility of an account balance or class of transactions to misstatement that could be material, individually or when aggregated with misstatements in other balances or classes, assuming there were no related internal controls.”

RELATED ARTICLES: Risk Management and the 2018 PSPF | Risk in Cyber Security Compliance | Strategies for Identifying Risks | Musings on Security Risk Assessments | Security Risk Management Standards and Guidance | On-Demand Webinar – Security Risk Assessments & Management

In simpler words, the nature of financial auditing is around identifying the risk of mistakes or deliberate misrepresentations in financial records, prior to any specific controls being set in place to mitigate it.

In this context it may be arguable whether individuals controlling how financial transactions are recorded, are a control in themselves. If they are inept or fraudulent, then perhaps the existing control (e.g. pre-employment screening) is weak.

In a different case, say a business is misreporting for the purpose avoiding tax; could it be suggested that no controls exist? The threat of punitive measures would most certainly be one deterrence, and there would be more.

Further, wherever financial systems have been developed, you can be sure that some form of control was factored into in their design.

Inherent Risk Endures

Notwithstanding all of this, it would seem that the application of inherent risk has been around long enough to become embedded. If it serves a purpose and the nature of its use is fully understood, then all power to financial auditors (and others). But that doesn’t mean that others need follow.

It would be interesting to see where else inherent risk is practiced over other pre-treatment references such as, for example, “current” risk. This descriptor mildly implies that at least some controls are already in place, even if they are as ‘rudimentary’ as human intuition.

A Closing Perspective

Dr. Carl Gibson, Chair of the Education Committee for the Australian Risk Policy Institute (ARPI), among other roles, reasons that both terms, inherent and current, are confections. Dr. Gibson posits that “If we accept that risk (as a concept that we are most familiar with) is a social construct (i.e risk is created in the mind to explain certain aspects of uncertainty and possible futures) then how can risk be inherent? It is just risk. What then is a ‘current risk’? If we are considering a risk does that make it ‘current’, if we have a risk that is no longer part of our consideration does that take it non-current?”

He also calls into question the value in focusing on inherent risk, and indeed suggests that it may be a contributor to sub-optimal outcomes. ” If all controls are removed then any modelling of risk will tend to the highest possible consequence with an almost certain probability. How does this add value to any risk assessment[?]”. Indeed this is the point made in the illustration above.

Yours in security risk management,

Konrad Buczynski

Konrad was a graduate of the Royal Military College Duntroon and served as an Australian Army Officer and telecommunications specialist until 2001. He has held roles as Director of the Australian Centre for Security Management and Chief Security Officer and Crisis/Business Continuity Program Manager at Thales Australia-New Zealand, the region’s largest Defence Prime Contractor at the time.

A Certified Practising Risk Manager, Registered Security Professional, member of numerous security working groups and technical committees and designer and author of innumerable security risk management programs, Konrad was the architect and co-founder of SECTARA. He is a company Principal and SECTARA’s Managing Director.

Did you known that the Security Risk Management Aide Memoire (SRMAM) is free to all SECTARA subscribers (yes, even on the free plan).

How to get started with SECTARA

If you see the same great benefits that we do in SECTARA, there are several methods to get started:

[1] Public Company Accounting Oversight Board, “Auditing Standard No. 8,” 15 December 2010. [Online]. Available: https://pcaobus.org/Standards/Archived/PreReorgStandards/Pages/Auditing_Standard_8.aspx. [Accessed 3 June 2020].
[2] Australian Accounting Research Foundation, “Risk Assessments and Internal Controls,” July 2002. [Online]. Available: https://www.auasb.gov.au/admin/file/content102/c3/ASA315_03-20.pdf. [Accessed 3 June 2020].