Behind the identification of the risks of compliance and the identification and evaluation of the organization's controls, it is necessary to move on to the next phases of the risk management process, that is, to analysis and evaluation of them.
The main objective of risk management is to have information that allows us make decisions regarding the treatment of risks, that is, deciding in each case whether to act or not, what type of action we should carry out, with what urgency or priority we should act, etc.
To do this, we must estimate in each case what the inherent risk is and what the residual risk associated with each risk scenario is.
Now, what is inherent risk? He inherent risk (or gross risk) is the risk that is given by the nature of the organization's activity, that is, the intrinsic risk of the different activities and business areas, without taking into account the control mechanisms that exist.
The inherent risk is obtained from the result of considering the impact and probability associated with the risk of compliance:
- He impact refers to the consequences (economic, financial, patrimonial, reputational, etc.) that would occur if the risk event were to materialize.
- The probability It is the theoretical expectation that the risk will materialize, without considering the mitigating measures existing in the organization and taking into account exclusively its characteristics and context, for example: the economic sector in which it operates, the activities it carries out, the geographical areas in which it carries out its activities, the size and other characteristics.
Given the inherent risk, we then ask ourselves, what is residual risk? He residual risk (or net risk) can be defined as the risk that the organization assumes or accepts after implement and execute relevant control mechanisms and prevention measures. It could be stated that the residual risk is the extent of the remaining risk after considering the mitigating effect that the control environment exerts on the risks of compliance of the organization. We see how the residual risk is measured considering the crossing of the inherent risk and the effectiveness of control mechanisms assigned to each risk scenario.
Obtaining the residual risk is an important consideration, since this risk is used, among others, to determine whether the existing controls in the organization They are sufficiently robust and effective, and whether they are proportionate to the level of inherent risk. Furthermore, residual risk is the risk that the organization assumes and, therefore, must necessarily be known and accepted by its administrative and management bodies.