This post expands on an article I wrote in 2010 for a blog called Risk 101 – Complexity risk management. The reason I got this from under the dust and decided to revisit it, was a discussion during a class I taught this week. Some of the concepts have been adapted to align with my current thinking.
The challenges of “inherent” risk
Although I have tried for years, it remains difficult to thoroughy explain inherent risk to someone who is new to risk management. The theoretical aspects are easy, but once you get into the nitty-gritty of how to actually determine “inherent” risk, most conceptual explanations leave you hanging.
The crux of the matter is whether we consider it possible or feasible to let people determine their exposure to risk without taking in account the current level of controls present in the processes they manage or are involved in. The problem? This is actually a lot harder than it seems. The assessors need to be able to ignore everything they know about the existing controls in their current process.
To illustrate, this would be equal to someone asking you to assess the safety level of your car while ignoring all the traditional, existing safety measures such as power brakes, airbags, power steering …
The more I work in risk management, the more I teach risk management and the more I interact with people charged with implementing risk management, the more I wonder whether we should not forget about the theoretical aspect of inherent risk and focus on what our risk management responsibles know best: their actual situation. I am convinced good risk management needs to start from the actual situation in terms of risk management measures or controls, without necessarily questioning everything that has gone before.
Presenting risk in a matrix with residual risk on one axis actually makes a lot of sense, for a number of reasons. Let’s consider the presentation of such a matrix with residual risk.
Visualizing risk management effort
A traditional risk control matrix visualizes the current level of inherent risk, a function of impact and probability of occurrence during a certain time interval without taking into account the existing controls, on one axis, often the vertical one. The current level of risk management (sometimes also referred to as the current level of internal control, although that ignores risk mitigation other than internal controls) is then shown on the other, most often horizontal axis. The result is a matrix where inherent risk and current level of control are two independent variables which provide a presentation of the risk profile of an organization.
However, as stated above, while theoretically enticing, in reality it is not that easy to assess inherent risk levels. Risk management, and especially qualitative risk assessments, are by nature subjective. Asking people to make abstraction of aspects that are inherent to their experience of a process may introduce a subjective bias that is likely to skew the entire exercise to the point of making it unusable or irrelevant.
But what happens if we were to assess not inherent, but residual risk. What if we ask the participants to assess the level of risk (as a function of impact and probability) as they currently see and experience it.
Mapping the current level of risk management or the current level of internal control becomes irrelevant, because it’s already been taken into account. That is exactly where the difference between inherent and residual risk lies. What can we do next? I believe there are a number of possibilities, of which two are irrelevant or not feasible, and one is interesting to examine further. Let me take you through the first two first.
Back to the traditional risk matrix
Given we don’t really ‘need’ the current level of control axis, we could consider going back to the traditional risk matrix, presenting impact and probability of occurrence on two axes. However, if we were to do that, we would again get caught in all the problems that pushed us to leaving this traditional presentation in the first place. Longitudinal presentation of risk profile evolutions would become a mess very fast. We would create the illusion that impact and probability are equally important in all circumstances, and we would fail to show that tolerances are individual to each risk (or, more correctly, to each objective and hence to each risk influencing this objective.)
‘Calculating’ inherent risk
We could try to calculate the inherent risk level based on the information about residual risk and the current level of risk management. The problem there is that you are performing calculations with figures determined in assessments which are not equally calibrated. You will use ‘quantitative’ data, such as numbers representing a level of impact, likelihood and current risk level which are based on differently calibrated scales, which therefore cannot be used in calculations together. In essence, you are comparing apples and pears.
Risk management effort as a relevant metric
We could determine, even in a rather objective manner, the ‘investment’ done in dealing with a risk. I like to refer to this as risk management effort or internal control effort.
It is a function of the means, in terms people, processes and technology which an organization has invested in order to bring a risk under control. Now, we will not assess the effect of this investment, which is pretty much what we did when mapping current level of risk management. We map the actual or perceived effort, either based on hard, tangible information as provided by the organization under assessment, or as assessed by the people performing the assessment. Of course I have a marked preference for the first method. If completeness of the direct cost information can be assured and a reasonable approximation of indirect cost elements can be agreed upon, this is a reasonably objective measure.
Introducing the Risk Effort Matrix (REM)
And what does the REM look like? It looks like the matrix below.
Let’s examine this matrix in a bit more detail:
Just like the risk control matrix (RCM), we still retain the quadrants, but the content and thus the roles and responsibilities have fundamentally changed.
Quadrant I – What has gone wrong?
Quadrant I shows a high residual risk despite a high level of effort. What does that tell us? We invested a lot in order to reduce a risk exposure, but apparently it’s not making much difference. This is an area where the existing management plans which gave rise to the investment need to be thoroughly examined. Internal audit can contribute by executing effectiveness audits, in order to determine whether the effectiveness issue is an external one or an internal one. In the former situation, no matter what would be done, the residual risk would remain high. In the latter, the investment in risk reduction was likely not the most optimal, and money was lost in suboptimal developments. This could for example be the case if the analysis lacked the necessary cost/benefit analyses?
Quadrant II – The future effort area
Quadrant II is the area where the residual risk is high, but in which to date little effort has been made to manage this risk. This is an area where new management action plans need to be developed, based on a good cost/benefit analyses, in order to determine and ideally implement the most optimal manner of managing the risk.
Quadrant III – Assurance and potential cost savings
Quadrant III is the area where the residual risk is low, aided by a significant effort in people, processes and technology. Management has invested, and it appears to pay off. The question remains whether it truly has. In this area, internal audit needs to execute its assurance task, giving comfort to management that the risk has indeed been reduced to its optimal level. In a number of cases, internal audit may decide too much effort was put into the risk management, and that a reduction of that effort will not significantly influence the risk in a negative way. This area of potential risk management overkill may become an area of significant cost savings for the organization.
Quadrant IV – Monitoring required
Low residual risk in an area of low effort requires watching and monitoring. It may well be no problems will occur here … but it is entirely possible there are risks waiting to explode on the risk scene of quadrant II here. Management needs to ensure monitoring, and internal audit can provide assessment of monitoring quality and relevance.