First off – What is Inherent? What does the word mean? Webster’s defines it as, “Inherent literally refers to something that is “stuck in” something else so firmly that they can’t be separated”. More commonly it is defined as, “belonging to the basic nature of someone or something”. So what about inherent risk? Thinking of risk as the future (can risk exist in the past?), it means the future state of something because of its basic makeup. And how do we determine the future? We look at the past.
Take the example of a car. What is the inherent risk of a car? To be honest, I am not quite sure. The basic nature of a car is movement using a power source. In this case the inherent risk is that the car cannot be moved by the power source. As we add on components we move away from inherent risk and are now on the road to residual risk.
You are probably sitting there and saying, John, why are you starting there? The inherent risk of a car started with what we have in front of us. Engine, four wheels, battery, electronics, etc… It is the inherent risk of this developed product that we are dealing with. Except now it becomes difficult to separate inherent risk from residual (“remaining after a process has been completed or something has been altered”). Because the car is now engineered to alter the risk of the car. Tires are engineered to reduce hydroplaning, for example. What good is it to spend time on the inherent risk of the tire when it is the current state that is most important?
Okay, so that is a physical example. What about IT? Where do we start? IT versus no IT? What’s the inherent risk of the “Cloud”? I can identify (I think) the current risks but how do I go about identifying the inherent risk? What is the risk of the “Cloud” with no controls in place?
What about Audit? Audit defines it as, “an error or omission on a financial statement due to a factor other than a failure of control(s)”. Is this inherent risk or is this strategic risk? Take something that is subjective that I am familiar with, the reserves for loan losses. There is tremendous subjectivity in determining the reserve amount, despite all of the math surrounding it. What is the inherent risk? Material misstatement (over or under)? Doesn’t that come about because of all of the assumptions, processes and controls that are already in place?
I know, I know. Lots of question marks.
It seems to me that what we are looking at is complexity, uncertainty and materiality. Complexity relates to design. Uncertainty relates to data and history. And materiality relates to impact (financial, physical, reputation, etc…). As I have looked at failures over the last several years I have found the underestimation of these to be significant as to the cause of the failures. We have disaster plans. We have audited financial statements. We have strategies. And sometimes in spite of ourselves we succeed. Think of when McFly punches Biff in Back to the Future.
Management of risk requires us to define things and to measure things. We have to be able to compare in order to establish the relative risk of something. A “High” risk rating means nothing if we haven’t defined other ratings so we can focus on what’s important.