Inherent Risk vs. Residual Risk: What’s the Difference?

When organizations think about risk, they’re often thinking about the risk they’d be exposed to without any security controls in place at all: a breach that happens in the absence of cybersecurity controls, for example, or a phishing attack on staff that hasn’t been taught to spot fraudulent emails.

But what about the cyberattack that manages to get around existing controls?

When it comes to risk analysis, there are two categories of risk to consider: inherent risk and residual risk. Let’s take a closer look.

What is inherent risk?

Inherent risk is the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk.

What is residual risk?

Residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.

What’s the difference between inherent risk vs. residual risk?

Organizations often experience attacks when they have controls in place, and some of those attacks slip through the net of cybersecurity that’s been set up. Think, for example, about an employee who falls for a social engineering attack despite being trained to spot phishing emails or an attacker who finds a vulnerability despite the fact that products are patched often.

That’s the difference between inherent and residual risk in information security.

Or to think of it another way, you’ve put a fence around your data and networks to keep the risk out, and while that fence is keeping most of the risk out, some can still sneak in. That risk that’s sneaking in, despite your team’s best efforts, is residual risk.

It’s important to note that these definitions can get a little murky. Most organizations today aren’t operating with absolutely no cybersecurity controls in place. The FAIR Institute recommends that companies modify the definitions somewhat, identifying inherent risk as “the current risk level given the existing set of controls.”

In this more realistic scenario, residual risk represents the remaining risks once additional controls are applied.

Why is inherent risk important?

Understanding inherent risks and their impact helps security teams identify which cybersecurity controls will be most successful to fight the existing level of risk and risk factors associated with your business. Without a good understanding and grasp of the inherent risks your business faces, you will never be able to successfully mitigate and prevent new threats and vulnerabilities from emerging. Understanding the inherent risks of your business is the first step in developing a successful cybersecurity program.

How do you identify inherent risk?

Inherent risk can be identified through an audit of current operations and the business environment. This includes day-to-day processes, market trends, economic factors, regulations in the industry, and analyzing what competitors are doing.

Why is residual risk important?

Understanding residual risk is important from a compliance standpoint; the ISO 27001 regulations — which allow organizations to manage the security of assets that are entrusted to an organization by third parties — require companies to monitor residual risk. To be compliant with ISO 27001, companies must have residual security checks in place alongside inherent security checks.

On a more basic level, security teams that focus only on inherent risk are missing the full picture when it comes to understanding their organization’s risk profile, and that can lead to poor decisions when it comes to security.

Good security teams know that just because you’ve put up a fence, doesn’t mean that you’ve eliminated all risk; something that isn’t possible. Some risk always remains. Attackers might hurl themselves against the fence, something small might get through, or maybe something will get over the fence.

Continuously monitoring and understanding residual risk as well as inherent risk allows security professionals to more quickly and accurately identify potential security threats, and understand how those threats can negatively impact a company and its data. By knowing how and when risks might slip through the fence, a security team or a CISO can confidently respond to risks.

How do you identify residual risk?

Residual risks can be identified by performing audits and looking over processes after controls have been put in place to protect your organization. This would include performing penetration testing, sending employees test phishing emails, and other methods used to test current cybersecurity controls.

What is an example of inherent risk?

Inherent risk includes risks that naturally come with ongoing operations when no controls are in place. This includes situations such as data theft, data loss, unauthorized access points, malware, phishing, insider threats, and data mismanagement.

What is an example of residual risk?

As we mentioned above, residual risk refers to the risks that exist even after implementing cyber security controls you intend to use for your business.

An example of residual risk is if your company implements a policy requiring employees to use complex and character-specific passwords. You can improve this policy by requiring employees to update and change these passwords on a regular basis. While this could reduce the likelihood of cybercriminals figuring out employee passwords, there is residual risk if employees just alternate between the same set of passwords.

It’s up to your business to decide if this is the kind of residual risk you are willing to accept.

How to manage residual risk

Now that you know what residual risk is, what do you do with it? Once you understand residual risk, it’s time to classify the risk, so your organization knows how to respond.

Much of this work has to do with your organization’s tolerance for risk; if the residual risk is below an acceptable level of risk, your organization doesn’t need to do anything but accept it. If not, the security team will need to find new ways to mitigate the risks, which means you’ll have to reassess your residual risk once the new controls are in place.

In many cases, this will mean a constant recalculation of risk levels and tolerance as organizations understand how much appetite they have for risk and where the gaps are in their security.

How to calculate residual risk?

Residual risks can be calculated by identifying the risk tolerance, or how much your company would need to do to prevent any inherent risks from being exploited. Once you identify inherent risks, the protocols necessary to treat these risks, and how much risk is reduced in this process, the strategy developed is what calculates the residual risk.

Essentially, Residual Risk = Inherent Risks – Impact of Risk Controls.

Monitor inherent and residual risks with SecurityScorecard

SecurityScorecard’s security ratings platform can help companies monitor the changing nature of threats and help them recalibrate their risk levels by continuously monitoring an organization’s IT ecosystem. Our security ratings provide easy-to-read A-F security ratings that show you, at a glance, what your organization’s security posture looks like across 10 categories of risk factors: IP reputation, DNS health, endpoint security, network security, patching cadence, web application security, social engineering, hacker chatter, and information leakage.

If a score drops in any area, you’ll receive a real-time notification, allowing your security team to reevaluate your risks, your controls and make better decisions to protect your data and networks. Interested in learning more? Sign up for a free account today to discover how SecurityScorecard’s ratings platform can help manage risks associated with your business.