Inherent risk refers to the threats that exist without being mitigated or controlled. Every company faces inherent risk before they implement strategies and controls. It is determined by the industry, size and operations of the company. Inherent risk may be difficult to calculate and the source of it needs to be ascertained before trying to determine what its likelihood and impact are. Risk management could assist in measuring inherent risk and create strategies to mitigate it. These will minimise the negative consequences the organisation could potentially suffer due to the absence of internal controls.

Inherent risk is the risk that comes along with any business activity. A business will try to control its risks, but this is never a perfect process and comes with its own risks. Residual risk exists because even an excellent risk management program can only minimise, and not always eliminate, most risks. Control risks are the risk that poor controls will be implemented and will not actually minimise the risks they are meant to control. Meanwhile, detection risk is the risk that audits and other control measures will fail to detect the risk at all. Businesses sometimes confuse inherent risk with control risk and residual risk.

How could inherent risk grow?

Inherent risk could grow if controls are in place but are ineffective. A heavily regulated industry could carry a higher level of risk. Complex business operations, transactions and partnerships with third parties could potentially increase inherent risk as well. Poor management leads to worse decision-making and many oversights within a business. This leaves the company vulnerable to threats and subsequently increases human error. It may be that a manager or employee forgot to record a transaction that was made, therefore creating misleading information in financial statements.

New transactions and the introduction of new products and services also carry risk. Businesses need to be aware that situations that require a lot of analysis could create more threats for the business as employees need to make many knowledge-based decisions. Inherent risk thrives in situations where uncertainty is high. For example, when managers make decisions based on assumptions or personal judgement, the room for error is bigger than when decisions are made based on figures and facts.

Those are only scenarios that can contribute to the probability of inherent risk existing. The likelihood and impact of different situations are hard to measure as multiple considerations need to be taken into account. For example, the motivation an individual has to commit fraud. So while the inherent risk increases, it is hard to tell by how much.

Inherent Risk vs Residual Risk

Companies do not want inherent risk to remain untreated. The risk management plan they have in place is created in order to help the business achieve its goals and succeed. During that process, strategies are implemented after risks have been identified, assessed and analysed. The controls that are introduced by the organisation lead to residual risk. Residual risk is the result of the actions employers take to manage inherent risk. Once measures are in place, inherent risk becomes a controlled risk. However, residual risk is still present because most control measures have flaws.

For example, if there is a threat of a cybercrime, companies may set up a firewall, back up their data and implement policies that encourage compliance with security laws. However, the risk that the cybercrime will succeed is what we refer to as residual risk. Risk is rarely eliminated. It always exists one way or another. Businesses need to recognise that there are few scenarios where they can get rid of risk completely. Most of the time they have to accept it, minimise it or transfer it.

An easy way to present residual risk would be:

Inherent Risk + Internal Controls = Residual risk

This formula explains the relationship between the two concepts in simple terms.

inherent risk

Difference between inherent risk and control risk

Businesses need to remember that inherent risk exists when internal controls do not. Control risk exists even when strategies are in place but are poorly designed. Control risk refers to the company failing to mitigate, identify or assess a risk due to ineffective internal controls. It is present when the measures are failing to manage the risk they were created for. Ineffective controls usually occur because managers underestimate and misjudge the severity of a threat. They could also occur if the management implements lower quality controls due to cost constraints and a lack of risk-aware culture. 

 An example of control risk can be the exposure of a company to external threats. If a company decided to mitigate the risk of outsiders entering the company they might give employees an ID card so they can only access the facilities if they have the card. However, the company may not stress the importance of storing the card securely and reporting it missing if it is lost. This could give the opportunity to individuals who do not work at the company to enter the premises and access confidential information. Flaws in control measures could result in a situation like the Optus data breach

The relationship between inherent risk and detection risk

Inherent risk is hard to assess. It might not be detected by the company and could go unnoticed until it materialises. During an audit, detection risk describes the probability that an error will not be identified in a financial statement. In other scenarios, it is simply the possibility that a worker will not be able to identify a risk that could affect a business.

While inherent risk could thrive due to internal and external sources, detection risk solely relies on the skills of the employee. The possibility of detection risk depends on the skills of the worker and their experience. It is entirely up to the employee to identify misstatements and come to the right conclusions. Failure to identify errors in a financial statement could lead to misinterpreted results.

Inherent risk, control risk and detection risk are all elements of audit risk. The level of inherent risk and control risk affect the activities that are required to complete an audit successfully. While it is difficult to calculate detection risk, businesses can mitigate it easier with stricter audit procedures.

How to handle inherent risk

If the company does not prioritise its risk management, inherent risk is more likely to increase. Employees and higher management need to communicate to be able to reduce threats and adopt a calculated and consistent approach.  

Polonious can help your business manage inherent risk while improving your company’s productivity. We offer a single hierarchy of risks and treatments that is cross-referenced with assets and online risk assessments that will allow your company to save time while we calculate risk ratings for you. All risks are managed in one place and cases can be easily updated with videos, images and documents that contribute to the final report. Learn more by requesting a demo!