Inherent Risk Controls Residual Risk
Overview
Risk Assessment is very important as it provides the organization with an objective measure to differentiate between low risks and high risks. Risk Identification is an important step but often we end up with hundreds of risks without a clear way of determining which risks are the ones most important. The Risk Assessment methodology below describes how easy2comply meets these challenges.
Easy2comply also offers the ability to perform a quantitative assessment of the risk as well as a Scorecard / Questionnaire approach. These are not dealt with in this methodology paper.
The qualitative methodology is divided into three components:
- Inherent Risk
- Controls
- Residual Risk
The combination of the Inherent Risk value together with the Controls generates a Residual Risk level
The logic behind this approach is based on AS/NZS 4360 Risk Assessment methodology. It assumes that the Risk has an inherent value or score and that this risk can be assessed under a normal (uncontrolled) environment. A high risk score is not good; a low risk score is good.
When controls are added or linked to the risk, it makes a statement that these controls are assisting in the management of the risk.
Each control has a measure of Effectiveness – this describes how well the control is functioning in the management of the risk. A high measure is good; a low measure is not good.
The residual risk is calculated by querying the number of controls and each of their individual measures, and determining how much of the risk remains in the context of the control assessment. The aim is to bring the residual risk as close to zero as possible.
Inherent Risk – Impact
The Impact describes the level of the impact to the organization should the risk materialize.
The system has a default scale for Impact which is as follows;
| Category | Score |
| Not Significant | 1 |
| Minor | 2 |
| Moderate | 3 |
| Major | 4 |
| Catastrophic | 5 |
Behind each Impact category lays a score between 1 and 5. A low impact category results in a lower score.
The impact could be linked to different “ideas”. For example, the impact could represent financial impacts, or it could equally represent the impact on achieving a business objective.
The terminology of the Impact categories can be modified for a particular client installation. “Not Significant” could be changed to “$0 – $100”; “Catastrophic” could be changed to “> $1M”.
Inherent Risk – Likelihood
The Likelihood describes how likely the risk is to materialise. You can have a risk with a very large impact, yet the likelihood of it occurring is extremely rare. For this reason, the system allows you to document the likelihood of occurrence.
The system has a default scale for Likelihood which is as follows;
| Category | Score |
| Rare | 1 |
| Unlikely | 2 |
| Possible | 3 |
| Likely | 4 |
| Almost Certain | 5 |
Behind each Impact category lays a score between 1 and 5. A low impact category results in a lower score.
The Likelihood is an expression of frequency. If required, the terminology of the Likelihood categories can be modified for a particular client installation. “Rare” could be changed to Every 10 Years”; “Almost Certain” could be changed to “Daily”.
Inherent Risk Score
The Inherent Risk Score is a simple multiplication of Impact and Likelihood generating a score between 1 and 25.
| Impact | ||||||
| Not Significant | Minor | Moderate | Major | Catastrophic | ||
| Likelihood | 1 | 2 | 3 | 4 | 5 | |
| Rare | 1 | 1 | 2 | 3 | 4 | 5 |
| Unlikely | 2 | 2 | 4 | 6 | 8 | 10 |
| Possible | 3 | 3 | 6 | 9 | 12 | 15 |
| Likely | 4 | 4 | 8 | 12 | 16 | 20 |
| Almost Certain | 5 | 5 | 10 | 15 | 20 | 25 |
Controls
Each control has two fields that determine its relative importance in the context of managing the risk: Status and Weight.
Control Status
As described above in the introduction, each control has a measure that determines the level of effectiveness of the control. The system determines that the control is effective between 0% and 100%. The system does not allow a percentage to be directly entered. Rather it equates a Status to a particular percentage.
Some examples can be found below:
| Control Status | Effectiveness (%) |
| Effective | 100% |
| Partially Effective | 50% |
| Ineffective | 0% |
| Control Status | Effectiveness (%) |
| Red | 100% |
| Amber | 50% |
| Green | 0% |
| Control Status | Effectiveness (%) |
| Effective | 100% |
| Ineffective | 0% |
| Control Status | Effectiveness (%) |
| Fully Implemented | 100% |
| Partially Implemented | 50% |
| Not Started | 0% |
The number of options within each Status in each option is unlimited but in general it would be between 2 and 5.
The idea behind this is that different controls in different environments may require different ideas to be represented. Compliance Controls may be scrutinised through the eyes of percentage of Implementation, yet Sarbanes-Oxley Controls may be binary in the approach, i.e. they are either Fully Effective or they are Ineffective with no place in between.
The important thing is that behind these categories exists an equivalent percentage. This ensures that controls can be aggregated no matter the terminology used.
The category of Control Status used is referred to in easy2comply as a Control Index. Control Indexes can be created by an Administrator. Each control can be allocated to a single Control Index for the sake of consistency.
Control Weight
If there is a risk with three controls, the question often arises as to whether the controls all have an equivalent responsibility, or whether some controls are more important than others.
One way to deal with this is to use the Key Control field which provides a visual cue as to which controls are critical and which aren’t. This is useful but is insufficient when determining the relative importance of a large number of controls.
The Control Weight is always defaulted to Medium, but can be changed as follows:
| Weight | Score |
| Minor | 1 |
| Low | 2 |
| Medium | 3 |
| High | 4 |
| Critical | 5 |
Behind the weighting is a score or value that the application uses to calculate an overall weighting.
The weighting only has relevance when there is more than one control or when there is more than one control and there exists a difference in the weighting.
If the controls had an equal weighting, and there were four controls, each control would contribute 25%.
To understand the calculation when there is an unequal weighting, we need to look at the following examples.
Example 1
I have four controls. Three are medium, and one is critical.
| Weight | Score | Number of Controls | Combination | Weighting | Weighting (%) | Total |
| Minor | 1 | 1/14 | 7.14% | |||
| Low | 2 | 2/14 | 14.29% | |||
| Medium | 3 | 3 | 9 | 3/14 | 21.43% | 64.29% |
| High | 4 | 4/14 | 28.57% | |||
| Critical | 5 | 1 | 5 | 5/14 | 35.71% | 35.71% |
| Total | 14 | 100% |
This means that each of my controls with a Medium weighting now has an adjusted relative value of 21.43%, but my control with a Critical weighting has an adjusted value of 35.71%.
The system now combines the control weighting together with the control status.
Let’s assume we have the following Control Status Index:
| Control Status | Effectiveness (%) |
| Effective | 100% |
| Partially Effective | 50% |
| Ineffective | 0% |
If we continue using this example above where there are four controls.
| Control | Weight | Effectiveness |
| Control 1 | Medium | Effective |
| Control 2 | Medium | Effective |
| Control 3 | Medium | Partially Effective |
| Control 4 | Critical | Ineffective |
The Medium controls each have a 21.43% weighting, and the Critical control has a 35.71%.
The Effective controls have 100% effectiveness, the Partially Effective control has 50% effectiveness, and the Ineffective control has 0% effectiveness. Combined together, it looks likes this:
| Control | Weight | % | Effectiveness | % | Combined |
| Control 1 | Medium | 21.43% | Effective | 100% | 21.43% |
| Control 2 | Medium | 21.43% | Effective | 100% | 21.43% |
| Control 3 | Medium | 21.43% | Partially Effective | 50% | 10.72% |
| Control 4 | Critical | 35.71% | Ineffective | 0% | 0% |
| Total Control Overall Effectiveness | 53.58% | ||||
Example 2
I have six controls. Two are medium, two are high, and two are critical.
| Weight | Score | Number of Controls | Combination | Weighting | Weighting (%) | Total |
| Minor | 1 | 1/24 | 4.17% | |||
| Low | 2 | 2/24 | 8.33% | |||
| Medium | 3 | 2 | 6 | 3/24 | 12.5% | 25% |
| High | 4 | 2 | 8 | 4/24 | 16.67% | 33% |
| Critical | 5 | 2 | 10 | 5/24 | 20.83% | 42% |
| Total | 6 | 24 | 100% |
This means that each of my controls with a Medium weighting now has an adjusted relative value of 12.5%, my controls with a High weighting has an adjusted relative value of 16.67%, and my controls with a Critical weighting have an adjusted value of 20.83%.
The system now combines the control weighting together with the control status.
Let’s assume we have the following Control Status Index:
| Control Status | Effectiveness (%) |
| Effective | 100% |
| Partially Effective | 50% |
| Ineffective | 0% |
If we continue using this example above where there are six controls.
| Control | Weight | Effectiveness |
| Control 1 | Medium | Effective |
| Control 2 | Medium | Effective |
| Control 3 | High | Partially Effective |
| Control 4 | High | Ineffective |
| Control 5 | Critical | Partially Effective |
| Control 6 | Critical | Ineffective |
The Medium controls each have a 12.5% weighting, the High controls each have a 16.67% weighting, and the Critical controls have a 20.83% weighting.
The Effective controls have 100% effectiveness, the Partially Effective control has 50% effectiveness, and the Ineffective control has 0% effectiveness. Combined together, it looks likes this:
| Control | Weight | % | Effectiveness | % | Combined |
| Control 1 | Medium | 12.5% | Effective | 100% | 12.5% |
| Control 2 | Medium | 12.5% | Effective | 100% | 12.5% |
| Control 3 | High | 16.67% | Partially Effective | 50% | 8.33% |
| Control 4 | High | 16.67% | Ineffective | 0% | 0% |
| Control 5 | Critical | 20.83% | Partially Effective | 50% | 10.42% |
| Control 6 | Critical | 20.83% | Ineffective | 0% | 0% |
| Total Control Overall Effectiveness | 43.75% | ||||
Residual Risk
As explained in the introduction, there are three components to the Risk Assessment methodology. We have covered the first two already which are the Inherent Risk calculation, and the Controls. The third element is the Residual Risk calculation.
This calculation is performed automatically by the software. It analyses the Inherent Risk score, and the Total Overall Control Effectiveness, and determines the amount of risk remaining.
If the Overall Control Effectiveness is 53.58% as in the first example above, or 43.75% as in the second example above, the remaining risk is 46.42% and 56.25% respectively.
If the Inherent Risk score was 20, then the residual risk score would be 9.28 and 11.25 respectively.
If we put this into a table, it looks like this:
| Risk | Impact | Likelihood | Inherent | Total Overall Control Effectiveness | Calculation | Residual |
| Risk 1 | 4 | 5 | 20 | 53.58% | 20 * (100%-53.58%) | 9.28 |
| Risk 1 | 4 | 5 | 20 | 43.75% | 20 * (100%-43.75%) | 11.25 |
Summary
In this paper we analyse the standard risk assessment methodology that is implemented within the easy2comply software.
The methodology is a parameterisation that can be adjusted by easy2comply professional services. If there is a business requirement to adjust the methodology, please contact easy2comply.
For example, we can change the 5 x 5 matrix to a different combination, we can change the values that sit behind each Impact and Likelihood category, and we can change the way that the Residual Risk score is calculated.
Very nice and helpful information has been given in this article. I like the way you explain the things. Keep posting. Thanks. . .
excellent points and the details are more precise than elsewhere, thanks.
- Norman
Helpful blog, bookmarked the website with hopes to read more!