Inherent risk

Category: Risk management frameworks · Reviewed by Amy Price, Account Executive · Last reviewed

Inherent risk

Inherent risk is the level of risk that exists in the absence of any controls or mitigation. It is the “gross” position — what could happen if the business activity were carried out as designed with no risk treatment in place.

Why measure inherent risk at all?

Some practitioners argue inherent risk is hypothetical and a distraction. The counter-argument — and the dominant practice in insurer ERM — is that measuring inherent risk:

• Shows the value added by controls (inherent ↔ residual gap).
• Reveals control dependency. A residually-low risk that is only low because of a single control is fragile; the inherent rating exposes that.
• Supports new-product reviews. Before controls exist, inherent risk is all you have.

Practical scoring

Inherent risk is typically scored on the same likelihood × impact grid as residual risk. To avoid theoretical absurdities (e.g. “what if we paid no claims at all?”), most practitioners score inherent risk as if normal commercial operations continued but discretionary risk-mitigation controls were absent.

References

• COSO (2017) ERM Framework.
• IIA (2020). Three Lines Model.
• ISO 31000:2018.

Cross-references

• Residual risk
• Risk treatment
• Risk register

Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.