Inherent risk

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Inherent risk, in Risk management, is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.[1][2] Another definition is that inherent risk is the current risk level given the existing set of controls, which may be incomplete or less than ideal, rather than an absence of any controls.[3][4]

One of the main arguments against the use of inherent risk as a concept is the perceived difficulty in determining its level. Where the inherent risk can be assessed, it assists in identifying which controls are key.[5]

See also[edit]

References[edit]

  1. ^ Gregory Monahan (2008). Enterprise Risk Management: A Methodology for Achieving Strategic Objectives. John Wiley & Sons.
  2. ^ Rachel Slabotsky (7 September 2017). "Inherent Risk vs. Residual Risk Explained in 90 Seconds". www.fairinstitute.org. FAIR Institute. Retrieved 10 October 2018. Inherent risk represents the amount of risk that exists in the absence of controls.
  3. ^ Rachel Slabotsky (7 September 2017). "Inherent Risk vs. Residual Risk Explained in 90 Seconds". www.fairinstitute.org. FAIR Institute. Retrieved 10 October 2018. Inherent risk is current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.
  4. ^ Jack Jones. Measuring and Managing Information Risk: A FAIR Approach. FAIR Institute.
  5. ^ Tattam, David. "Inherent Risk – Is it useful?". Protecht Risk Management Insights. Retrieved 2017-05-01.