You probably won’t be surprised to hear that everything is a risk—it might not be a big risk, but even walking out the front door is technically a risk. A risk is an uncertainty that can affect the outcome of a project or action. There are several kinds of risks, and in this article, we’ll talk about the difference between inherent vs residual risk and what you can do to minimize them.
Inherent Risk vs Residual Risk
Thinking about everything that could go wrong pertaining to a certain action is a casual definition of inherent risk. If you walk out the front door, you could slip on the icy stairs during the winter, get pooped on by a bird, get in a car crash on the way to work, and so on. However, you can probably put measures into place that remove or combat a lot of the inherent risks you may encounter.
If there was an ice storm, you can put salt or ice melt on your stairs to help you avoid slipping in the morning on your way to work. You can’t do much to stop a bird from pooping on you besides holding an umbrella over your head, but you can have a few napkins or a cloth in your car that you can use to clean it up if it happens you’re caught without an umbrella.
And though you can’t control the actions of others on the freeway, you can ensure that you get enough sleep the night before so you’re alert and can drive defensively on your way to work or the store.
The risk that is left over after you’ve done all you could to mitigate the inherent risk is called residual risk. If you plan and execute a campaign for your company, an example of residual risk could be a hidden fee for some equipment you rented that you didn’t know about beforehand. By tracking residual risk and planning for it, you can reduce its impact on your company.
Is Residual Risk the Same as Secondary Risk?
Residual risk is not the same as secondary risk. Secondary risk is created as a result of your trying to reduce inherent risk. For example, if you fast-track a project to minimize the inherent risk of missing the due date, a result of fast-tracking could be a lower-quality product. The risk of a lower-quality product is considered a secondary risk since it’s a risk created by an action you took to minimize an inherent risk.
How to Plan for Residual Risk
Residual risk can be minimized but never completely eliminated since nothing is perfect—humans, products, and systems are fallible. But don’t fret—people and products’ errors are correctable.
Perform Risk Assessment
Risk assessment, also known as effective analysis, is the process of identifying and evaluating risks and determining how they should be managed. This includes individual or organizational vulnerabilities that could lead to a loss of some kind. Once you know all the risks, you can put measures into place to mitigate them, which is called risk management.
Risk management is a process that can be applied to any situation where loss (or risk) is possible or even likely, whether it’s in business or personal life. The process of risk assessment involves identifying risks, understanding their likelihood, assessing the possible impacts on individuals or organizations, determining how much risk you’re willing to accept (a.k.a risk acceptance), deciding whether to prevent or control the risk through avoidance, reduction or acceptance and establishing controls or procedures based on those decisions.
Another part of risk acceptance is the willingness to do things with a growth mindset. Because humans, technology, and systems are fallible, it’s important to accept that mistakes will be made (residual risk, remember?), which can help you or your company grow and improve in the long run.
Remember, not all residual risk is bad. If you create a new product line that outperforms your expectations, that is an example of positive residual risk.
Calculate Residual Risk
Once you have done your best to identify and plan for inherent risk, it’s time to calculate residual risk to the best of your ability. It may be obvious, but if not, here’s a way to look at it:
Inherent Risks - Impact of Risk Controls = Residual Risk
For example, if you perform risk assessment for a new line of products your company is going to launch and determine that you stand to lose 100 million dollars (inherent risk), but you can put measures into place that reduces that risk by 90 million (impact of risk controls), then your leftover risk is 10 million dollars (residual risk).
(You won’t always have concrete numbers, of course).
Once you have your residual risk number, then you should take some measures to minimize that risk, if possible.
What to do With Residual Risk
1. Avoid it
If the residual risk is too much, and you can’t accept it, then don’t follow through with the project or make adjustments until the residual risks are at an acceptable level. Keep in mind that avoiding one risk may expose you to another.
If your company doesn’t adapt its software because the residual risk is too much, then an alternate residual risk is that of a competitor adapting their software, which could potentially take away your company’s current customers. Which residual risk are you willing to take?
2. Risk reduction
Look at your residual risks and take measures to reduce them. For example, a manufacturing plant could create a checklist for each part of the manufacturing process to ensure that products are assembled safely and correctly.
3. Risk transfer
Once a company has decided to pursue a course of action and has done all it can to reduce the risks, it may choose to transfer the rest of the risk to a third party by purchasing insurance.
For example, if a company needs to increase certain protections for its assets and they choose to buy a fire-related insurance policy, then the risk of a fire would be transferred to the insurance company. However, choosing to transfer risk has its own residual risk, since the insurance company may refuse claims or go bankrupt, for example.
4. Accept risks
If a company can’t avoid the risk, has done all it can to reduce the risk, and has transferred any risk possible, then what remains to be done is to accept the remaining risk. Risk acceptance is for risks that the person or company can’t identify, mitigate, or transfer. This means that the person or company accepts responsibility for any losses incurred by the remaining residual risks.
How Much Risk Can You Accept?
Determining your risk tolerance (the amount of risk you are prepared to tolerate) depends on the person or company. But it should usually be predetermined before looking into a new project or action. For example, this could be setting an allowable budget. If a project falls within the budget, but the residual risk pushes the project outside of the budget, then the company may determine that it can’t tolerate the risk of the project.
For those visual learners out there, if you were to draw it out on a graph, with the X axis being labeled “likelihood” and the Y axis being labeled “impact,” then a line would naturally appear in the top right-hand corner of the graph where risk is either too likely or too impactful for the company to tolerate.
That line is called the risk tolerance line, and its position differs depending on the company. The concept, however, is the same. If a risk falls into that area of either being too likely or too impactful (or a combination of both) and it couldn’t be moved out of that area by reducing the amount of impact it has or reducing its likelihood, then a company would not be able to tolerate it, and, therefore, shouldn’t go through with it.
Risk appetite is similar to risk tolerance. Risk tolerance typically focuses on controlling risk, but risk appetite focuses more on taking risks. A company’s risk appetite may be highly risk averse, with the company always erring on the side of caution, or it could have a high-risk appetite, meaning the company is very open to and actively pursues innovation and risk-taking.
Companies fall anywhere within this spectrum. In investing, for example, certain portfolios may have a high-risk appetite, while others may be very conservative. Core projects with a high impact may be better off starting with a low-risk tolerance, whereas high-return innovative projects may need a higher risk tolerance.
Making a Risk Contingency Plan
Once you’ve determined your risk tolerance level and the inherent risk possibilities, you’ll mitigate the risk you can. After you’ve done all you can to remove risk, the second part is creating a risk contingency plan.
A risk contingency plan is a plan or set of guidelines an organization is supposed to follow if hypothetical risks become a reality. This is not the same as risk mitigation. Risk mitigation happens before an event occurs and is supposed to reduce the likelihood of risk happening at all.
For example, an airline takes precautions so its flights are safe for its passengers by providing a pre-flight checklist for its pilots to use. That is risk mitigation. However, at the beginning of each flight, flight attendants instruct passengers how to use oxygen masks in case of lost cabin pressure. That is a risk contingency plan. Oxygen masks do not drop and the plan is not implemented until the risk has become a reality.
Think of it this way. A risk contingency plan could be prefaced with, “In case of ______, do ____.”
For example, what will your company do if a project goes over budget? Does your risk response involve emergency resources or will cost-cutting procedures be put into play? Will you back out of the operation altogether? If your surgery goes wrong, do you have a backup babysitter to help watch your kids for a few extra days, or can your spouse take off work to step in and help?
Risk contingency plans do not affect the probability of a risk-taking place. However, these plans can seriously reduce the effects of an unexpected risk.
Think of them as steps you’re supposed to take when warning signs appear. Setting up storm barriers when there’s a hurricane warning doesn’t affect whether the hurricane hits or not, but setting up the storm barriers is part of a risk contingency plan to reduce the damage done by the hurricane.
Risk contingency plans don’t often cost much money until an event occurs that requires the use of those contingent resources outlined in the plan. A good example of this is that of a shipping company. The shipping company doesn’t experience the cost (money and time) of using longer backup routes until some kind of event forces the company to abandon its typical routes.
How RiskRecon Can Help
In a world where companies are integrated with several or more third and fourth-party providers, security can be a big issue. Even if those companies say they are following security protocols, how can you be sure? How are you supposed to adequately assess the quality of third-party providers’ security? Enter RiskRecon, a Mastercard Company.
RiskRecon’s SaaS solution can help your organization get transparency and accountability from vendors by providing continuous information about their security posture. You can trust RiskRecon to measure security program quality, improve productivity, and ensure accountability among all stakeholders. Potential risks will be communicated, and you’ll be given actionable items you can implement to reduce the risks to your company’s assets.