The better alternative to “inherent” and “residual” risk concepts

Few things are certain in life: death, taxes and someone in the risk community asking about inherent and residual risks. In fact the question is so frequent that I even did a short video response:

To most organisations inherent vs residual comparison is a way to measure potential risk mitigation effectiveness and the reduction in risk. That’s sounds pretty noble and sensible to measure the trade-off between the cost of mitigation and the reduction in risk exposure.

But, as is often the case in RM1, execution of the idea is the problem. Qualitatively assessing inherent risk in terms of probability and impact scales before controls (or with current controls, it doesn’t matter) and then again qualitatively assessing residual risk level is beyond stupid. By the way, if the last paragraph surprised you, you probably shouldn’t be working in risk 🙂 In this article Finally! An alternative to risk matrices I provide more information on the reasons why doing qualitative risk assessments is not risk management.

That being said, in RM2, we have always compared risk exposure with and without mitigations, but we do it completely differently. Drum roll please. We look at probability of achieving objectives and how the mitigations affect that probability. Norman Marks calls it the probability of success.

In RM2 we don’t need to talk about risk levels, we always represent uncertainty as a product of objectives.

Here is what it looks like when it comes to financials objectives:

NPV 3 v13a.png

Current risk exposure, without mitigations. Probability of success 77.5%. Not bad, but management wanted better certainty.

NPV 4 v16_no event risks

Check out other risk management books

Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management
The Standard for Risk Management in Portfolios, Programs, and Projects

Updated risk exposure with mitigations. Probability of success moved to 86%. (all numbers are for illustration purposes only, the actual difference is usually much greater).

Here is an example of what it may look like for a project schedule: 

Picture1

The probability of finishing on or before the deadline is 16%. Not acceptable, need to implement mitigations.

Picture2

Updated probability of success is 68%. This was withing management appetite.

Conclusion

Qualitative inherent and residual risk discussions are a waste of time. Probably even worse than useless due to cognitive biases and inherent methodological errors in qualitative assessments. On the other hand we can and should calculate the probability of success before and after proposed mitigations. Even safety and compliance risks will be better represented as impact on an objective or decision instead of standalone risk level.

RISK-ACADEMY offers online courses

sample85
+ Buy now

Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

19,999,99
sample85
+ Buy now

ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

199,999,99
sample85
+ Buy now

Управление рисками

В этом коротком и очень увлекательном курсе, Алексей Сидоренко расскажет о причинах внедрения риск менеджмента, об особенностях принятия управленческих решений в ситуации неопределенности и изменениях в новом стандарте ИСО 31000:2018.

19,999,99

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.