What is inherent risk? And what is the difference between inherent risk and residual risk?
Inherent risk is a risk that exists in an environment, system, or product prior to any risk management efforts are performed. In other words, it is the risk present before any safeguards, security controls or countermeasures are applied. Residual risk, on the other hand, is the level of risk that remains even after security controls are deployed in place.
Risk is the intersection of vulnerabilities, threats and assets. Therefore, all risk management efforts should always focus on minimizing vulnerabilities and handling threat vectors to reduce and keep risk at an acceptable level. Moreover, both inherent and residual risks should be constantly evaluated to check whether they are under the risk tolerance level of an organization. Event after security controls are deployed, residual risk has the potential to change to imminent risk and thus always requires watching eye if it is under the hood of acceptable risk level.
Senior management decides the acceptable level of risk and should be kept updated about the progress of each risk mitigation strategies. Organizations should have detail risk profile or risk register and risk assessment activities should be conducted periodically on the risk profile to determine their status.