• First Reference
  • About us
  • Contact us
  • 24th Annual Ontario Employment Law Conference 📣
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Talking about inherent and residual risk

By Norman D. Marks, CPA, CRMA | 2 Minutes Read September 26, 2018

Talking about inherent and residual risk

inherent and residual riskDan Roberts recently shared some interesting thoughts on the topic of inherent and residual risk and their relationship with risk appetite.
Please click on the link above and come back here for a discussion.
Dan writes the piece for the internal auditor, but his comments are relevant for all of us.
I am going to quibble with his definitions of inherent and residual risk. I prefer to consider inherent risk as the level of risk should controls fail, and residual risk as the level of risk assuming that controls are working consistently as designed.
In practice, I prefer to talk about the latter as simply the level of risk. (Of course, I prefer not to use the “r” word at all!)
One useful byproduct of assessing both levels of risk is that the delta between the two represents the effect of internal controls. Hopefully, this is more than their cost!
I am not going to argue here about risk appetite and whether it is a practical and useful concept.
Instead, I suggest that we look at Dan’s underlying point.
We should be striving to take the right level of the right risks by making informed and intelligent decisions.
It’s less about the absolute level of risk and more about whether we are taking the level of risk that is right for the business, for the achievement of objectives. Dan refers to this as the “target” risk position[1].
We should not only be asking whether we are taking risk above desired levels, but also whether we are taking enough risk to succeed?
Are we unnecessarily risk averse? That can cripple an organization in many ways, including slowing agility and decision-making as well as failing to take advantage of opportunities.
In an ideal world (to borrow that phrase from Dan), every decision-maker knows:

  • The objectives of the enterprise
  • How his or her decisions and taking of risk will affect the achievement of those objectives
  • Whether he or she can make risk decisions themselves or needs to involve others
  • How to take the desired level of risk to achieve enterprise objectives

I agree with Dan that internal audit should provide assurance that management has the processes and capabilities in place to take the right level of risk – and that simply affirming the assessment of risk is insufficient.
I welcome your thoughts


[1] By the way, internal audit should question whether the target risk position and/or risk appetite statements are right for the business and the achievement of its objectives.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • The risk is assessed as high. So what? - March 15, 2023
  • Putting cyber risk into business perspective - February 15, 2023
  • Twitter and risk - January 18, 2023

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting / addressing risks, business risk, inherent and residual risk, internal audit

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy