Inherent Risk vs. Current Risk: Stop the Theory, Get Practical!

Does this sound familiar? You start a new risk management cycle, and soon you’re stuck in fundamental debates. The conversation revolves around terms like gross risk, net risk, inherent risk, and residual risk—or “inherent risk assessment” and “residual risk analysis.” In particular, the concept of inherent risk—risk in its purest form, without any countermeasures—regularly causes head-shaking in specialized departments and slows down efficient GRC processes.

Frameworks like COSO, as well as new requirements from CSRD and EFRAG, demand this kind of analysis to properly measure the effectiveness of controls. It makes sense on paper. In practice, however, it leads to absurd thought experiments: “Imagine our data center had no access controls,” or “What would the risk be if we used no passwords?”, “What would the environmental risk be if we had no air filters on our production line?”. These discussions are purely theoretical and make any practitioner’s hair stand on end.

In my career, I have never seen a company that operates without basic protective measures. That’s precisely why these discussions feel so out of touch. We shouldn’t be surprised when departments in production, procurement, IT, and sales no longer want to talk to us risk managers. These conversations lead to risk management being perceived as a theoretical chore for compliance purposes, distracting from the real work and undermining the acceptance of the entire process.

The Better Starting Point: Current Risk

Instead of getting lost in theoretical constructs, I advocate for a pragmatic approach: start your risk management process where you are today—with current risk. “Current risk” describes the actual risk situation, considering all controls that are already implemented and effective. While it is similar to residual risk, the term “current” is more tangible for practical use. It doesn’t imply that nothing more will be done, as “residual risk” might suggest. Instead, it reflects the status quo of the risk situation. Based on the current risk, further measures can be developed to reduce it. If the operational risk is still well above the organization’s risk appetite, additional measures and controls can be implemented.

This focus on reality has decisive advantages:

• Understandable: Everyone involved can contribute based on existing processes and systems.
• Highly Relevant: The approach answers the central question for management: “Is our protection sufficient, or do we need to establish new measures or update existing ones?”
• Greatly Efficient: This method prevents time-consuming debates about scenarios that will never happen.

From “As-Is” to “To-Be”: Measures with Measurable Benefits

Based on the current risk, the path forward becomes clear. If the risk is still too high, we define additional measures. The result after their successful implementation is our planned risk or target risk.

This approach makes the value of measures directly visible. The reduction from current to planned risk is the concrete benefit of your investment. Modern GRC software supports this process: a control tested as effective can automatically trigger a re-assessment of the risk, without having to restart the entire assessment process every time.

And What About the Auditor? A Smart Way to Handle Inherent Risk

Of course, the requirements of auditors and certain standards remain. But here, too, there is a practical way forward. Instead of simulating a world without any controls, focus on what’s essential. One approach, supported by organizations like the FAIR Institute, is to consider the risk in the event of key control failure.

1. Start with the current risk.
2. Identify the crown jewels of your defense: Which 3-5 controls are absolutely critical for risk mitigation (e.g., firewall, backup, central authentication)?
3. Simulate only their failure: How high would the risk be if exactly these critical measures failed?

The result is a realistic and defensible assessment of your inherent risk. You not only meet compliance requirements but also facilitate a valuable discussion that feeds directly into your business continuity and resilience management. You know where it really hurts when things go wrong.

Alternatively, inherent risk can be considered a one-time task, separate from the regular risk process. With experience and a clever approach, you can design a method that will also satisfy your auditor.

Conclusion: Risk Management Must Serve a Practical Purpose

A pragmatic approach that starts with current risk ensures greater acceptance from specialized departments and positions the risk manager as a consultant to the organization. This way, risk management becomes integrated into strategic corporate governance, rather than being seen as a hindrance.

Help your management focus on the topics, risks, opportunities, and measures that truly move the company forward. Ivory-tower debates that are detached from reality certainly don’t help anyone.

I can help you make your risk management practical and find a good approach for you and your stakeholders. I am also happy to assist with the selection of suitable GRC software and the technological implementation of your processes.