Inherent Risk Vs Residual Risk

Gavin Smith   27 July, 2022

We all experience risk in our daily lives. As we interact with different levels of risk, we choose how much risk we can tolerate. Should we cross the road when the pedestrian light is red or not? Should we drive to work when the petrol tank is nearing empty or go to the petrol station? Sometimes we make decisions to remediate the risk and other times we accept it.

Similarly, businesses respond by identifying the inherent risk, taking the correct precautions needed and then viewing the residual risk after these precautions are in place. Businesses need to be particularly conscious of constantly monitoring their residual risk to make sure they keep up to date with the changing risk landscape

Inherent risk vs residual risk 

In risk management, analysts deal with inherent and residual risk. Inherent risk is the risk status when a company has no form of protection or mitigation in place. Analysts evaluate a company’s inherent risk by assigning a score that measures their amount of risk. For example, in the early stages of a start-up company, before any security checks have been put in place, employees of the company may be subject to phishing emails that are traced back to the newly minted company LinkedIn profile.

Once a company identifies their inherent risk and puts the proper measures in place to improve their security, their company may be evaluated again and receive a new risk score. This new score is considered the residual risk score because it is after the precautions have been put in place and identifies the remaining risk. For example, after this start-up has put the team through a response to phishing training course and an employee is still caught by a well worded email. 


In the world of cyber security, it is important for companies to have residual security checks in place. According to the ISO27001 companies need to monitor their residual risk after doing inherent risk checks. To mitigate risk and protect their assets, companies need to be compliant with the ISO27001 and continually check for residual risk as well as inherent risk.  

Companies that need to comply with IS027001, use cyber security analysts to find the assessed risk. The assessed risk is when an analyst helps provide a more detailed explanation on a company’s risk. These analysts display an average assessed risk score for an entire portfolio of programmes on an overview dashboard. They use this information to compare inherent risk and residual risk and identify which risk to prioritise.

Managing residual risk

After going through the process of security checks from inherent risk and then residual risk, companies may still be left with a low level of risk. Just as how we accept a low level of risk in situations in our daily lives, the company can choose to accept this low risk. If their residual risk is at a  high level, the company will have to reassess their risk after the security team has found new ways to mitigate the risk. This will turn into a regular security check so that companies can monitor and improve their residual risk to fill gaps in the security of the company. 

How C2 can help

C2 Cyber’s new platform has been designed to help clients monitor the dynamic environment of risks facing their company. Our team is prepared to empower organisations to survive and thrive through the provision of best-in-class risk intelligence.