The International Organization for Standardization (ISO) has developed the ISO 31000 Risk Management standard for organisations to comply with an international standard for risk assessment and management in their business processes. The ISO has stated on its website that “ISO 31000 provides a level of reassurance in terms of economic resilience, professional reputation and environmental and safety outcomes”. Also, “in a world of uncertainty”, ISO 31000 is tailor-made for any organisation seeking clear guidance on risk management.
Understanding the different kinds of risks is a significant part of risk management. To be compliant and meet regulatory requirements, your organisation needs to carry out risk analysis and understand residual risk and inherent risk so that you can implement appropriate controls (for examples, security controls) and avoid making the wrong decisions to address and mitigate these risks.
By the end of this article, you will be equipped with knowledge on:
- Residual risk
- How do you find residual risk?
- Who is responsible for residual risk?
- What is an inherent risk?
- The difference between the residual and inherent risk?
- Examples of inherent and residual risk in real life
- Tips for mitigating both types of risk
- What is an example of residual risk?
What is a residual risk?
Residual risk is defined as the risk remaining after controls are accounted for.
These controls would have eliminated or reduced some of the total risks compared to before any such measures were implemented.
HOW DO YOU IDENTIFY RESIDUAL RISK?
To identify residual risk, you must first understand the difference between inherent risk and residual risk.
Once you know the inherent risk and have determined the risk control measures to address them, then you can identify the remaining risk, which is the residual risk.
This can be illustrated in the residual risk formula below:
Residual risk = Inherent risk – Control measures used
For example, consider the risk of involving in a car accident where the repair cost of damage can be as high as $10,000 – this is the inherent risk in the absence of any controls implemented.
If you purchase motor insurance (your risk control), the insurance company may cover 90% of the repair cost.
You can then calculate residual risk as 10% or $1000, which you have to pay out of your pocket eventually.
WHO IS RESPONSIBLE FOR RESIDUAL RISK?
In ISO 9001:2015 Quality Management System (QMS) standard, under clause 6.1.2, it requires the organisation to plan for actions to address risks, integrate and implement these actions into its QMS processes. (Cited from https://www.iso.org/standard/70397.html)
Also, the ISO 31000:2018 standard, under clause 5.2, states that top management must ensure that “risk management is integrated into all organisational activities and should demonstrate leadership and commitment”. (Cited from https://www.iso.org/iso-31000-risk-management.html)
Your organisation and leadership will be responsible for risk analysis to identify all the risks that the organisation is exposed to. You will need to carry out risk assessment, review appropriate mitigating actions and implement them to avoid, reduce or transfer the inherent risk and in managing residual risk.
What is an inherent risk?
Inherent risk is the initial risk that exists before any control is used to address or reduce the impact of that risk. Usually, inherent risks exist because the organisation does not have any risk controls for its operations.
The difference between the residual and inherent risk
Inherent risk and residual risk are closely related in risk management. Inherent risk refers to the number of existing risks in the absence of any controls or actions that are implemented to address or reduce their impact, i.e. the raw risks.
Although the impact of risk controls may help to remove certain risks, in most cases, it is difficult and sometimes impossible to completely eliminate or eradicate all the risks despite our efforts, controls and precautionary measures taken to prevent the outcome or impact.
The risks that remain are what we call residual risks. These risks still exist after attempts have been made to remove, lower and reduce the inherent risks. The graphic picture of a strainer (representing the controls) clearly illustrate the residual and inherent risk difference.
Examples of inherent and residual risk in real life
When driving a car on the road, the inherent risk is you can knock into a pedestrian, another car, damage your vehicle or cause injury to yourself and/or someone else.
The control measures that can be introduced include a car built-in warning system and the safety features such as airbags, seat belts etc.
Despite having these control measures, there still exists the residual risk of an accident and its impact.
Fortunately, with the control measures in place, the residual risk of an accident is not as severe as before.
Tips for mitigating both types of risk
To mitigate inherent risks, there are generally five recommendations you can consider:
AVOID IT BY NOT GOING AHEAD WITH THE ACTION.
For example, a person feels that driving a car is too risky and decides not to drive but to take a taxi instead. In such a case, he is avoiding the risk of driving while finding an alternative way to get to his destination.
ACCEPT IT IF THE RISK IS BELOW THE LEVEL THAT CAN BE TOLERATED.
In the above example, the person is aware of the risk. Still, if he thinks the likelihood of getting into an accident is low, he will proceed to drive the car as it is an acceptable risk to him.
CONTROL IT BY IMPLEMENTING ADDITIONAL MEASURES TO ADDRESS THE RISK.
A person can control the risk by ensuring he is alert during driving and the brakes are in good working conditions to prevent a car accident. These are additional controls to mitigate inherent and residual risks.
REDUCE IT BY LOWERING THE RISK TO A TOLERABLE OR ACCEPTABLE LEVEL.
To lower the risk of being seriously injured in a car accident, a person can ensure the car has safety airbags, and his seat belt is secured during driving. This will likely help to reduce the possibility of getting seriously injured in the event of an accident to an acceptable level.
TRANSFER IT TO A THIRD PARTY.
A person can also purchase motor insurance to transfer the risk of high repair costs and medical expenses to the Insurance Company if an accident occurs.
To mitigate residual risk, you can also consider the same approaches as inherent risk, i.e. avoiding, accepting, reducing or transferring the risk.
What is an example of residual risk?
An example of residual risk is the possibility of still getting infected with the COVID-19 virus despite the measures that have been implemented to mitigate the risk, such as avoiding public and crowded places, washing your hands frequently, wearing a mask etc. Based on what we are currently experiencing in real life, we know that such control measures have not completely eliminated the risk of us getting infected with the COVID-19 virus.
The ISO 31000:2018 is an important standard that helps your organisation to manage risk. To assess and manage your organisation’s risk profile, you will need to understand and know the difference between inherent and residual risk. This will allow you to determine the appropriate controls you can take to address the inherent risk and the impact of the residual risk.
Stendard can help your organisation by providing risk management system consulting services with experienced ISO consultants in various industries. If you have any questions, please feel free to drop us an inquiry.
At Stendard, we believe that quality is everyone’s business because it takes a team to consistently deliver and uphold excellent standards that build confidence with customers, partners and the community. We are a competent group of experts who can provide consultancy support and advice on using technological platforms for your company through this journey.
If you have any enquiries, do contact us for more information!