Inherent level of risk

It is important to understand the uncontrolled level of all risks that have been identified. This is the level of the risk before any actions have been taken to change the likelihood or magnitude of the risk. Although there are advantages in identifying the inherent level of risk, there are practical difficulties in identifying this with certain types of risks.

Identifying the inherent level of the risk enables the importance of the control measures in place to be identified. The Institute of Internal Auditors (IIA) has the view that the assessment of all risks should commence with the identification of the inherent level of the risk. The guidance from the IIA states that 'in the risk assessment, we look at the inherent risks before considering any controls.' The new International Risk Management Standard, ISO 31000, recommends that risks are assessed at both inherent and current levels.

Often, a risk matrix will be used to show the inherent level of the risk in terms of likelihood and magnitude. The reduced or current level of the risk can then be identified, after the control or controls have been put in place. The effort that is required to reduce the risk from its inherent level to its current level can be clearly indicted on the risk matrix.

Terminology varies and the inherent level of risk is sometimes referred to as the absolute risk or gross risk. Also, the current level of risk is often referred to as the residual level or the managed level of risk. The example in the box below provides an example of how inherently high-risk activities are reduced to a lower level of risk by the application of sensible and practical risk response options.