Working with inherent and residual risk

/

The internal audit perspective

To an internal auditor, a risk analysis is relevant because it provides information on the priorities within an audit universe. The auditor will look at all he has right to audit (the audit universe) and ask himself where his task, providing assurance, is best executed. You need to think this through: it’s not in the areas where management knows they have issues. If he audits there, he will get in the way and management will respond with a resounding „So what, we knew that already” hence no added value through reasonable assurance. What the auditor should focus on are those areas where the risk is high but according to management appropriately mitigated. A residual risk overview will do him no good, because management will score adequately mitigated risk as a low residual risk. There it gets confused with non essential risks or risks with a naturally low residual value. So, the internal auditor wants an inherent risk overview.

The risk management perspective

Residual risk is very relevant for the risk manager. He needs to focus on what remains to be managed. His area of attention is not (necessarily) the inherent risks. He wants and needs to take in account what has already been done, otherwise he will be focusing his attention on those issues already under control, which is not an economic use of time and means.

How to combine both needs?

People in the organization are not willing to spend twice the significant amount of time in a risk assessment exercise, once for the risk manager, once for the internal auditor. Both need the information, also because it is required by the applicable standards, such as the IIA standards on internal auditing. Can we create an assessment which answers the questions of both the risk manager and the internal audit? I believe it’s possible, but in order to better explain I first need to clarify the traditional definitions of residual and inherent risk.

What is residual risk?

Residual risk is most often defined as the risk that remains in an organization taking in account all mitigating actions that have been taken - within burget constraints - in order to optimally manage the risk. It consists of a number of composing factors. Like any risk definition, residual risk is defined as a function of the factor impact and the factor likelihood.

These are well known concepts. But, let’s focus a bit on them.

Impact is a rather generic definition. Impact on what? I often define impact relative to the mission, vision, objectives and goals an organization has. In case an event impacts an organization in a way that it hinders the organization in achieving its objectives, the risk of that event is a significant risk, and needs to be taken into account in a risk management exercise. Impact is also relative to the organization. The organization defines its objectives, and a risk will be more or less significant depending on the influence it has on the objectives and the importance of those objectives for the entire organization.

Let’s look at likelihood for a moment. I often read that likelihood is a function of how likely it is a risk will occur. But the problem is that that definition does not truly define likelihood. You just use other words to say the same thing. What influences likelihood? I follow Bill Sewall when he states that likelihood is a function of two other aspects. I call these vulnerability and (situational) exposure (Sewall uses vulnerability and threat). Let’s make that more concrete.

Defining vulnerability

In any situation, your organization, your department, your process or you, yourself, can be vulnerable. If the risk would occur, there will be damage. Vulnerability reflects how significant that damage would be. Sitting under a tree during a thunderstorm: very vulnerable. The point is, whereas sitting under a tree is indeed very dangerous, the vulnerability, or at least that kind of vulnerability, gains relevance only during a thunderstorm. It is there all the time. You are human, lightning can hurt you. But lightning can only hurt you if you expose yourself to a situation where lightning is present.

About situational exposure

Hence, the situational exposure is important as well. Let’s take another example. Imagine you are driving a car while blindfolded. Not necessarily a good idea, because you can hit something. You are vulnerable. However, if the situation is such that you are driving a car blindfolded in the middle of a salt flat with kilometers and kilometers of space on all sides, you are less exposed than if you were to be doing this in the middle of a densely wooded area or a city.

Likelihood of occurrence is therefore not only a function of the inherent vulnerability but also of the exposure, which depends on the situation. When assessing likelihood, you need to assess both vulnerability as well as exposure.

Inherent risk

But what then is inherent risk? Let’s reverse traditional definitions and look at it starting from the definition of residual risk. Residual risk is a function of the vulnerability, the situation and the impact of the risk. Now imagine that if the risk event would occur, no mitigating factors would be in place. What would that mean for the definition? In essence, the vulnerability would be total. The impact would be there under all conditions, without the mitigating effect of a reduced vulnerability.

To illustrate: a car drives through a pitted landscape. Some cars have been built to be less vulnerable to the shocks and jilts of the holes in the ground. Their residual risk is lower than that of other cars, which still provide some mitigation by means of their shock absorbers. However, in the extreme case there is nothing, just an engine, a chassis and wheels. The first pit you encounter will be the last, and the impact will be total.

Inherent risk can be defined as a function of exposure and impact, not taking in account the aspect of vulnerability.

Relevant risk questions

What then are the relevant questions that should be asked during a risk assessment to provide both internal audit and the risk manager with relevant input? I distinguish four different questions.

  1. How vulnerable are you now to a certain risk? (Factor A) Considering the risk would occur, how vulnerable are you, here and now, to this risk? In an extreme situation, you are entirely exposed to a risk. If it occurs, the full impact will be felt. At this point, the inherent risk equals the residual risk. At the other end of the spectrum is a situation where you are completely covered. You are untouchable, invulnerable, you have almost Superman-like protection.
  2. How exposed are you (here and now)? (Factor B) The second question assesses the situation in which you, the process, the department or the organization as a whole is with respect to this risk. How often do risk events happen, here and now? It’s the question assessing whether or not you are in dangerous territory. Not knowing how to swim is a vulnerability, but if you are not exposed to water, you should break a sweat. If you are in the middle of the ocean in a small boat, that is a very different story. The answer can be highly exposed on the one end and not or barely exposed on the other.
  3. How much effort do you put in mitigation? (Factor C) This is an essential question for risk management. It queries the investment to date in the mitigation of a specific risk. Imagine you are still driving the car, blindfolded, in the middle of the woods. As a mitigating strategy, the organization decided to let you be assisted by an - also blindfolded, of course - psychic. They have found the most expensive psychic in the world, with the best reputation ever. They throw all at it but the proverbial kitchen sink. The put a lot of effort in the mitigation. Likely, it will not really work, and the effort will not have yielded the desired effects. For a risk manager, this is an indication to start doing something different. The scale can range from a high level of effort to no effort at all.
  4. If the risk occurs and mitigation fails, what will be the impact? (Factor D) What happens when disaster strikes? What happens when all defenses are breached? What if all controls, all systems fail? What will be the worst possible outcome? This is the final question asked. The answer can be catastrophic, or may be - at the other side of the spectrum - immaterial.

The question NOT to ask: How effective is your mitigation? (Factor A’)

Mitigation effectiveness is a relevant question from the point of view of internal audit. I call it factor A’, or A inverse, because it is the exact inverse of factor A. Vulnerability is a function of mitigation effectiveness. We can use the inverse of vulnerability as an indicator of the effectiveness of the risk mitigators. A low to non-existent vulnerability matches a high mitigation effectiveness, whereas a high degree of vulnerability indicates a low level of mitigation effectiveness.

Using matrices

The question then remains: based on these four questions and five parameters, of which one is a derived parameter, which matrices can be generated?

  • Residual Risk Effort matrix (Risk Management) - From a risk management point of view, we have all required information to generate a residual risk effort matrix, the matrix used by risk managers to focus their activities on mitigating the risk areas with the highest exposures. On the vertical axis, we show the residual risk level. This residual risk level is a function of vulnerability, exposure and impact, or factors A, B and D. On the horizontal axis we show effort, factor C.
  • Inherent Risk Control matrix (Internal Audit) - The information gathered also allows us to present an inherent risk control matrix, such as the ones used for internal auditing. On the vertical axis, we show the level of inherent risk. We calculate this based on exposure and impact, again, assuming the vulnerability is total (i.e. there are no mitigations). For this, we use factors B and C. On the horizontal axis, we show the level of current risk management, which can be presented by the mitigation effectiveness, or factor A’ or A inverse.

The impact of simplification on residual risk

/

Red tape increases risks

Red tape is likely to lead to increases in residual risk profiles of organizations. These organizations are overburdening their external and internal customers with these increases in rules and regulations they need to comply with. Contrary to their expectations, this will not lead to more care. The more rules exist, the more this will lead to less care. Less care will reduce the risk awareness of the customer facing employees because they too are jumping through the hoops. The reduction in risk awareness will result in a higher residual risk profile because the assumptions are not checked nor questioned and may turn out to be false.

Past relevance of red tape

Introducing red tape in organizations was initially done to ensure that operations ran smoothly. A lot of the operations in larger organizations in the industrial era were 'standardized' to reduce costs. This approach was copied in service organizations and public sector entities as well. This led to productivity increases, which were a good thing from a cost side. However, the more you standardize a process, the more difficult it will be to provide deviations to the standard product. As Ford (presumably) has said: "You can have any color of car, as long as it's black." The choice in the Model T was limited. You had the choice of black, black or black. In addition, people on the work floor were discouraged of showing initiative and thus did not take ownership of the process. This part was also mirrored in different organizations.

Assymetrical information availability influences risk

A risk profile of an organization is a view on the risks to which an organization is exposed. A risk profile is specific to a company but heavily influenced by the industry in which is operates as well as the overall business environment in which the organization lives. A lot of different elements can influence a risk profile. First, there are risks external to the company. These risks in the organizations environment will influence its risk profile. The organization can do little about these risks, which can include the business environment, demographical evolutions, weather, disasters such as the Deep Water Horizon ... but they will impact it, and may impact it severely. A risk profile also consists of operational risks. These risks occur in everyday operations of the organization. One of the possible risks which can influence or worsen other risks is the red tape. More on that later. Finally, we see decision making risks. Information out of the external and operational environment is reported to the decision making levels which are not necessarily intimately aware of the situation on the ground. They base themselves on decision information. Any errors in the assembly and presentation of this information can lead to faulty decisions. Therefore, these risks influence the risk profile as well. These risks in turn can be significantly influenced by the red tape risks.

What happens if you leave red tape unchecked?

Imagine a situation in which an organization continues to develop red tape procedures beyond the point of marginal returns, i.e. the point where the procedure stops making sense. Compliance, if reached at all, will be reached with minimal care as the users do not see the relevance or the benefit of the additional requirements. More rules lead to less care.

Now, imagine a situation in which an organization is run based on rules and only rules, with any remarks or dissenting opinion ignored or punished, because its deviant behavior. New hires will very quickly stop caring. This is exactly what is witnessed in this type or organization, often hierarchical organizations. Now, if your collaborators no longer care, they will not be aware of will not mention elements influencing risk profiles. In essence, their risk awareness will be significantly reduced.

And when the risk awareness in an organization reduces, the likelihood that risk exposures are identified, flagged, assessed and managed reduces. What happens is that the real residual risk profile of the organization will become higher. Now, every increase in risk has an associated cost, all other elements remaining equal. So, either the organization accepts the higher cost of the risk management, therefore losing the assumed benefits of red tape increases, or the organization will be exposed to more risk.

The simpler the process, the lesser the risk

Introducing simplification projects which aim to reduce red tape will likely bring terror to the corporate identity. They are not used to these exercises, and they are counter-intuitive to much of what they have learned. However, think about the following: you will introduce more care in the execution of the activities of your organization, which will be appreciated by your customers. The increase in care will lead to an increase in risk awareness, which should lead to a reduction in the residual risk profile of the organization.