Dan Roberts recently shared some interesting thoughts on the topic of inherent and residual risk and their relationship with risk appetite.
Please click on the link above and come back here for a discussion.
Dan writes the piece for the internal auditor, but his comments are relevant for all of us.
I am going to quibble with his definitions of inherent and residual risk. I prefer to consider inherent risk as the level of risk should controls fail, and residual risk as the level of risk assuming that controls are working consistently as designed.
In practice, I prefer to talk about the latter as simply the level of risk. (Of course, I prefer not to use the “r” word at all!)
One useful byproduct of assessing both levels of risk is that the delta between the two represents the effect of internal controls. Hopefully, this is more than their cost!
I am not going to argue here about risk appetite and whether it is a practical and useful concept.
Instead, I suggest that we look at Dan’s underlying point.
We should be striving to take the right level of the right risks by making informed and intelligent decisions.
It’s less about the absolute level of risk and more about whether we are taking the level of risk that is right for the business, for the achievement of objectives. Dan refers to this as the “target” risk position[1].
We should not only be asking whether we are taking risk above desired levels, but also whether we are taking enough risk to succeed?
Are we unnecessarily risk averse? That can cripple an organization in many ways, including slowing agility and decision-making as well as failing to take advantage of opportunities.
In an ideal world (to borrow that phrase from Dan), every decision-maker knows:
- The objectives of the enterprise
- How his or her decisions and taking of risk will affect the achievement of those objectives
- Whether he or she can make risk decisions themselves or needs to involve others
- How to take the desired level of risk to achieve enterprise objectives
I agree with Dan that internal audit should provide assurance that management has the processes and capabilities in place to take the right level of risk – and that simply affirming the assessment of risk is insufficient.
I welcome your thoughts
[1] By the way, internal audit should question whether the target risk position and/or risk appetite statements are right for the business and the achievement of its objectives.
- When enterprise risk-based audit plans are not enough - November 15, 2023
- More useful information about cyber risk - October 18, 2023
- How do you measure internal audit effectiveness? - October 3, 2023