Few things are certain in life: death, taxes and someone in the risk community asking about inherent and residual risks. In fact the question is so frequent that I even did a short video response:
To most organisations inherent vs residual comparison is a way to measure potential risk mitigation effectiveness and the reduction in risk. That’s sounds pretty noble and sensible to measure the trade-off between the cost of mitigation and the reduction in risk exposure.
But, as is often the case in RM1, execution of the idea is the problem. Qualitatively assessing inherent risk in terms of probability and impact scales before controls (or with current controls, it doesn’t matter) and then again qualitatively assessing residual risk level is beyond stupid. By the way, if the last paragraph surprised you, you probably shouldn’t be working in risk 🙂 In this article Finally! An alternative to risk matrices I provide more information on the reasons why doing qualitative risk assessments is not risk management.
That being said, in RM2, we have always compared risk exposure with and without mitigations, but we do it completely differently. Drum roll please. We look at probability of achieving objectives and how the mitigations affect that probability. Norman Marks calls it the probability of success.
In RM2 we don’t need to talk about risk levels, we always represent uncertainty as a product of objectives.
Here is what it looks like when it comes to financials objectives:
Current risk exposure, without mitigations. Probability of success 77.5%. Not bad, but management wanted better certainty.
Updated risk exposure with mitigations. Probability of success moved to 86%. (all numbers are for illustration purposes only, the actual difference is usually much greater).
Here is an example of what it may look like for a project schedule:
The probability of finishing on or before the deadline is 16%. Not acceptable, need to implement mitigations.
Updated probability of success is 68%. This was withing management appetite.
Qualitative inherent and residual risk discussions are a waste of time. Probably even worse than useless due to cognitive biases and inherent methodological errors in qualitative assessments. On the other hand we can and should calculate the probability of success before and after proposed mitigations. Even safety and compliance risks will be better represented as impact on an objective or decision instead of standalone risk level.