The criticality of residual risk
by: Jason Moses
Residual Risk should be the main consideration in regards to the ERM process within your organization. Residual risk refers to the level of risk exposure that institutions still face after controls have been implemented to mitigate risks associated with a business process. As Jason Toledano, a notable industry expert, asserts: “ERM is really about managing residual risk—that is, things that could happen. That’s what senior management needs to know.”
For example, let’s take a risk posed to the institution within a key business process. The business process is Funds Transfer Operations and the risk posed to the organization is the intrusion of web-based funds transfer systems. Our Inherent Risk has been rated as high for this particular risk.
The next step is to implement controls to mitigate this risk to an acceptable level for the institution. Let’s say we have two controls in place to mitigate this risk. Control 1: Intrusion detection systems are in place for web-based funds transfer systems, and Control 2: A comprehensive review and reporting system is in place for web-based funds transfer systems intrusion attempts. After the control assessment process has taken place, the Residual Risk rating will be derived. For our sample scenario, the Residual Risk is still high, and not that far off from the high Inherent Risk rating. This indicates that either one or both of the controls currently in place are ineffective at this time.
Now that we have our Residual Risk rating, important decisions need to be made. Scenario 1: If the level of risk is below the institution’s acceptable level of risk, then it may be prudent to accept the risk. Scenario 2: If the level of risk is above the institution’s acceptable level of risk, then remediating the existing controls to strengthen them, along with the possible addition of new controls may be the wise option. And finally, Scenario 3: If the level of risk is above the institution’s acceptable level of risk, but the cost of mitigating the risk exceeds the impact of this risk, then the advisable decision may be to accept this risk.