# Risk Formula Definition: Inherent Risk, Residual Risk And Control Effectiveness

Posted in Risk Management on May 8, 2024

Risk formula definition. Mathematically, risk is a multiple of likelihood and impact. It is the likelihood of a breach happening multiplied by the impact of the breach on the business.

Inherent risk is different from residual risk, which is the risk that remains after assessing the controls that are implemented to mitigate the risks. This is calculated by multiplying inherent risk by the effectiveness of the control.

## Risk Formula Definition: Inherent Risk, Residual Risk And Control Effectiveness

A risk is any threat that an event or action will have a negative impact on the business and its goals. Risk is defined as the combination of the likelihood of an event occurring and the consequences of that event occurring. This provides us with a simple formula for calculating the level of risk in any situation.

## Inherent Risk

The level of sanction risk that exists before applying controls to minimize it is referred to as inherent risk. Customers, products and services, countries, and delivery channels are the four primary areas of inherent risk. You may notice that the risk categories are similar to those used in AML and terrorist funding risk assessments. Inherent risk is frequently used as the starting point for a risk assessment, and it considers the likelihood and severity of noncompliance before considering the mitigating impacts of risk management processes.

Following the assessment of inherent risks, businesses must determine the controls in place to reduce inherent risks. Control effectiveness (also known as mitigation measures or quality of risk management) is an assessment of the quality of controls used to minimize the inherent risks of a business.

These controls should be both appropriate and effective to mitigate the identified risks. That is, they must be proportionate: where there is an elevated risk, the controls should be more comprehensive to mitigate that risk.

## Controls

The controls used within a risk management program include:

• Governance;
• Policies and procedures;
• Know your customer/due diligence (including beneficial ownership);
• Management information;
• Record keeping and retention;
• Sanctions blocks/rejections;
• Monitoring;
• Training and awareness;
• Independent testing.

For example, inherent customer risk can be reduced through comprehensive know your customer (KYC) procedures to identify customers, their owners and controllers, and the nature and purpose of their business. During the onboarding process, these procedures could involve the provision of certain types of documents, such as license authorizations.

This procedure would then reduce the risk, for example, of providing trade financing for the export of a product that is restricted under a sanction

Each of the controls listed above can help to mitigate the inherent risk levels initially assessed. As a result, the organization may determine which sections of its business appear to pose higher levels of risk.

## Residual Risk

The business’ risk appetite is significant when assessing residual risk. At this stage in the assessment process, the organization can identify which areas of business are considered high risk after establishing control effectiveness. A business has four options for managing the residual risks:

Firstly, it can transfer the risk. However, because a firm cannot transfer accountability for sanctions compliance to someone else, this is not always a good option. If a firm assigns responsibility to a vendor or another third party, the firm must ensure the vendor is qualified and has effective controls.

Secondly, it can avoid the risk. If the level of risk exceeds its risk appetite, the firm may decide to discontinue or fail to pursue a given line of products or decide not to accept business relationships with customers who, for example, undertake business in certain countries.

Thirdly, it can seek to further mitigate the risk by, for example, decreasing “fuzzy logic” thresholds, increasing monitoring, adopting other controls, and/or strengthening current controls to manage the risk.

Fourthly, it can accept the risk.

## A Common Formula For Risk

Risk is commonly defined as: Risk = Threat x Vulnerability x Consequence. This is not meant to be a mathematical formula, but rather a model to demonstrate a concept.

There should be some common, neutral units of measurement for defining a threat, vulnerability, or consequence for a complete mathematical formula. Unfortunately, that no longer exists. For parts of the formula, there are some common units, such as CVSS to describe a vulnerability, but these are dependent on the environment or subjective to those who use the formula.

On the other hand, if you can remove one part of the formula, such as the threat or vulnerability part, and then replace it with near zero, the resulting risk value is reduced to almost nothing.

## Measuring Risk Likelihood

The first part of the risk formula, Threat x Vulnerability, can also be interpreted as probability. This likelihood is a rough estimate of the likelihood that a given vulnerability will be discovered and exploited by a threat actor.

While you can limit some factors, the threat actor is usually beyond your control. The threat actor’s rating is determined by a number of factors, including:

• The attacker’s skill level;
• The actor’s motivation;
• The possibility — whether the attacker has the necessary knowledge and access; and
• The capabilities of your opponent, including his or her financial resources.

## Final Thoughts

If attackers are still able to gain access to your environment despite all necessary security measures, you should initiate your incident response plan. Make sure you’ve set up detection capabilities and log sources to conduct the investigation. Detection entails more than just observing unusual events. Combine the various events and look for anomalies using human and threat intelligence.