Understanding Inherent vs. Residual Risk in Business Continuity - - C2

Book A Demo Today

Understanding Inherent vs. Residual Risk in Business Continuity

Published on December 01, 2020

In the uncertain and often fierce world of business and commerce, a single mistake can result in bankruptcy or set a company back years. The business world is fraught with risks, and companies that do not learn how to properly manage it will struggle to survive over the long haul.

Statistically 50% of businesses go bankrupt in their first 10 years therefore, you need every protection possible to allow you to maintain competitive edge. Understanding what risk is, is a vital part of this equation.

Planning for sudden shifts in demand, anticipating disruptions in value chains and securing alternative supply chains are all vital tasks for many businesses. All these tasks are done by understanding risk and implementing a proper mitigation plan to ensure business continuity. It is a far from easy and straightforward task and to give the topic justice, we would probably need to fill an entire book. That is why we are focusing on one single, yet crucial aspect of risk management in this article: inherent & residual risk. What are they? How are they useful? And how can understanding these two concepts help you manage risk more effectively? Let us dive straight in.

Inherent and Residual Risk: Basic definitions

There are two main ways in which you can think about risk within a business: inherent and residual. Here is a very quick one sentence to help you understand the difference:

  • Inherent Risk is the amount of risk your business faces naturally
  • Residual Risk is the remaining risk to your business after you accounted for your inherent risk

Let us take a deeper look at these two definitions and give you some examples to help solidify their meaning.

Inherent Risk

One view of Inherent risk focuses on the danger your business faces without any containment or risk management techniques. However, more often than not, there are controls (things we do that reduce the impact or likelihood) that reduce either the likelihood and or impact of an event exposing the risk. Some risk managers advocate that you should ignore the existing controls when measuring the risk i.e. raw inherent risk. Others argue that it is counter intuitive to ignore the current controls as that is the real world of the risk i.e. if I ignore the current controls then of course it is more likely that the risk will be high. They would rather work from the perspective of how do I improve my current controls to reduce the likelihood and/or impact.

When trying to calculate the inherent risk of a bad event, you should try to decouple the risk from all the internal business processes and look at it in a vacuum.

Imagine the risk of a supply chain from China breaking down and forcing you to buy some materials at twice the normal price. Normally, in your day-to-day business operations, you might have already taken some steps to reduce the chances of this happening (current controls). You may have increased your spare stockpile of this material. You may even have bought shipment insurance to protect yourself. These are all facts related to your business and when you’re calculating inherent risk you need to either discard them all (if you are proppant of raw inherent risk), or alternatively include them as current controls. Either way you will be right, its a philosophy not an ideology.

Residual Risk

Residual risk is the risk to your business that remains after you take all relevant precautions and design detailed mitigation and recovery plans. Even though these precautions and plans will significantly reduce the risks involved, there will always be some lingering risk that you’ll have to take into calculations: this is called residual risk.

To continue our example, most businesses have some plan in place to deal with supply chain disruptions: stockpiling, having alternatives on hand, shipment insurance, etc. If you want to calculate the residual risk of supply chain disruptions harming business continuity management and eating into your profit margins, you need to consider the mitigation plan. This means residual risk is always equal to or smaller than the inherent risk.

How Can These Concepts Help You Manage Risk Better?

Learning about the differences between residual and inherent risk, calculating them for various situations and coming up with different scenarios will improve your business continuity management, allow you to manage risk more effectively and gives you a more long-term view of your operations.

It Allows for More Effective Risk Management

Getting into the habit of analysing the level of risk of an event, considering all the eventualities, and then figuring out the residual risk after your mitigation plan is considered allows you to easily calculate the effectiveness of your management plan in ensuring business continuity.

Although the calculations are far from straightforward, getting into the mindset of thinking about risks in terms of inherent and residual alone will allow you to focus on management better, force yourself to think about the amount of risk you can mitigate. All of this resulting in a much more effective management approach.

It Helps You Compare Different Approaches

How do you choose between different risk management approaches? This is one of the core questions that you need to constantly ask yourself. By thinking about the inherent risk and then running through all the different approaches and their residual risk, you’ll be able to compare and contrast different management approaches easily. This gives you a relatively straightforward way of turning risk management questions into mathematical and logical questions you can answer easier. I personally like to consider the Value at Risk (VAR). In simple terms; most executives find it difficult to comprehend the abstract of probability and therefore, some tend to have a higher level of risk acceptance than is appropriate to their organisation. What all executives understand is CASH. Utilising the VAR approach focuses the attention in respect of spend to reduce risk i.e. if i spend cash to reduce a risk how much will that reduce my residual cash at risk. Calculating the frequency is helpful e.g. if you can state that the risk will materialise in a one in five, ten, fifteen year event. Then you will have a solid basis for the cost to mitigate the risk. The cream on top of all of this is, "upside risk" e.g. if i can attribute an upside benefit to my risk mitigation (win more business, gain reputational advantage etc.) then it's a win win.

It Helps You Avoid Risk Management Plans That Are Too Costly

Paradoxically you don’t always want to minimize risk. This is something that you must understand for you to be able to design effective mitigation and recovery plans. There are always trade-offs.

Imagine this: there’s a minuscule chance of supply chain disruption for one of your main products that might halt the operation of your business and impact its continuity. Having an alternative supply chain will reduce the risks, and it won’t cost much. You could also further reduce the risks by having a large stock of said item to create a buffer against any supply shocks. However, how much would the storage and maintenance of these items cost? Likely a hefty amount. You might make more of a profit in the long run while having a larger chance of being exposed to supply shocks than reducing the risk further.

Thinking in terms of inherent and residual risk helps you understand the fact there is always some risk that you need to deal with, and it helps you make better decisions and design a better business continuity program.