ELI5: What is Inherent Risk?
Riding a bike without a helmet, knee pads, or brakes is pretty risky. That’s inherent risk — the danger that exists before you add any safety gear. It helps you figure out how much protection you need.
Definition
Inherent risk is the level of risk that exists in a process, system, or activity before any controls are applied. It represents the raw, unmitigated exposure based on the nature of the threat and the organization’s vulnerability to it. Understanding inherent risk helps organizations determine how much effort to invest in controls and how much residual risk will remain after controls are implemented.
Key Details
- Inherent risk = likelihood × impact before controls are considered
- Inherent risk is the starting point for the risk management process; it is assessed before controls are applied
- After controls are applied, the remaining risk is residual risk
- High inherent risk areas require stronger controls; low inherent risk areas may require minimal control investment
- Exam tip: know the formula: Inherent Risk → apply controls → Residual Risk; risk appetite determines how much residual risk is acceptable
Connections
- Parent: risk-management — inherent risk is the baseline measure before control effectiveness is factored in
- See also: residual-risk
- See also: risk-appetite-vs-risk-tolerance