Inherent Risk - Are we perpetuating nonsense?
In his satirical piece ‘The Devil’s Dictionary’ Ambrose Bierce (1842- c.1914) summarised the noun ‘Lawyer’ as “one skilled in circumvention of the law”. This made me wonder whether Bierce would have summed up a risk professional as “one skilled in perpetuating nonsense.” Would that be fair? Are we perpetuators of nonsense? Decide for yourself after reading and considering the way in which the concept of inherent risk is used by the risk management profession.
Gibson[1] points out that “there is a strange and controversial concept, ‘inherent risk,’ used in some risk assessments to demonstrate a highly subjective level of risk in the absence of controls”[2]. He points out that the concept of ‘inherent risk’ is not a modern idea, having first arisen more than a century ago, which has in some disciplines, such as auditing and risk management, taken on a meaning quite different to its original use. Today many reputable thought leaders on the subject of risk and risk management have debunked the ‘inherent risk’ concept as “confected nonsense”[3].
In his paper Gibson sets out the history of ‘inherent risk,’ how it is being misused, and why the use of ‘inherent risk’ assessment by risk professionals may be doing more harm than good. In considering Gibson’s critique of the ‘inherent risk’ concept it is important to note that his critique is limited to its application within the ‘risk management profession.
Gibson is not alone in holding the view that the discipline of risk management continues to develop “more as a craft than as a scientific or evidence-based approach to understanding uncertainty”[4]. He backs this up by stating that in the 1970’s and 1980’s whenever the practice of risk management was present in organisations, it “was scientifically and mathematically based, with foundations in safety science, actuarial science, probability theory, and statistical analysis”[5].
Gibson asserts that the practice of risk management today is “replete with confusion, contradiction, and confection”[6] where we see new terms invented to ‘sell’ a composite of old ideas (often with no scientific basis or other evidence for its use), common everyday terms being ‘captured’ and used for ideas often at odds with their original meaning, the same terms being applied to mean very different things, as well as different concepts being promoted that conflict with each other.
He proffers that many senior decision-makers fail to capitalise on the value that effective risk management can bring to individuals, organisations, and society. He continues that “there is little robust evidence about the extent and depth of skills and expertise across the range of different risk professionals found in contemporary organisations” and compares them to those in funds management, insurance, and actuarial professions where risk professionals have to possess a proven body of knowledge. He says that “anecdotally it appears that many in the ‘risk management profession’ have surprisingly limited knowledge and skills in risk-related disciplines, beyond following one of the standardised methodologies such as ISO 31000 or COSO.”[7]
A further hard-hitting point made by Gibson is that the persistent incorrect use of the concept of ‘inherent risk’ is due to the high levels of ‘risk illiteracy’ amongst ‘risk professionals’ and senior decision-makers and that the misuse of ‘inherent risk’ will continue until the illiteracy issues are resolved.
Eina!
Risk professionals who use and promote the incorrect application of the concept of inherent risk should recognise that there is compelling evidence driving the need for change and embrace the opportunity to desist from perpetuating this incorrect application.
We should acknowledge that “the risk management domain has become filled with confected terms and concepts”[8] and is fuelled “globally by the significant variability across available training courses, some of which continue to teach ideas that should have retired years ago.”[9]
Direct evidence to this point is COSO describing inherent risk as “the risk to an entity in the absence of any actions management might take to alter either the risk's likelihood or impact”[10]. This is simply wrong!
Gibson points to other misunderstood, misused, and misapplied ideas circulating within the risk profession, such as ‘risk appetite,' ‘risk culture,’ and ‘risk matrices’ but the focus of the paper on which this discussion is based is limited to ‘inherent risk.'
Gibson states that the incorrect use and application of the concept of ‘inherent risk’ continues to rear its head in some risk assessment methodologies, where practitioners are encouraged to first conduct an analysis by imagining what the consequence and the likelihood values would be in the absence of any controls and then following this up with a second phase where the analysis considers the effects of controls on these initial values. It appears that the purpose for looking at ‘inherent risk’ in this way is to provide a quick assessment from which risks can be prioritised for a subsequent more detailed analysis.
I would add that another motive is an attempt to use the reduction in the numeric value from ‘inherent’ to ‘residual’ risk to demonstrate the value of risk management and allow executives to give themselves an undeserved pat on the back for the reduction in the level of risk. Such misuse of a risk assessment process is disingenuous and only the misinformed fall for it.
For too long the contemporary risk profession, of which I am part, blindly accepted and taught that inherent risk is the product of multiplying likelihood by consequence in an equation that looks like this: Likelihood x Consequence = Inherent Risk.
We now know better and should therefore stop perpetuating nonsense. If you are amongst those who still adhere to this practice in your risk assessment process now is the time to stop. We simply need to grow and do better as a profession.
So, what should we do with concept of ‘inherent risk’ and what can replace it?
We should return to first principles and accept that although inherent risk is a common everyday term it has been captured and used to present an idea and promote a concept at odds with its original meaning.
The word inherent is an adjective conveying that it exists in something as a permanent and inseparable element, quality, or attribute. Amongst its synonyms are intrinsic, innate, ineradicable, ineffaceable, natural, and inexpungible. Each of these words confirms the view that inherent risk cannot be eliminated.
Inherent risk is a specific concept which should only be used when you are dealing with “the intrinsic, permanent, and inseparable risk associated with the nature of a product or service, a living thing, an activity, a process, a location or a particular situation or behaviour”[11] (Dali, 2023).
Inherent risk is therefore present in the nature of products (dynamite, LPG), living things (wild animals, venomous snakes), activities (skydiving, snake handling), processes (nuclear fission), a location (a war zone), a particular situation (free climbing a sheer rock), or certain industries (oil and gas, chemicals).
The concept of inherent risk must not be confused or equated with the concept of gross risk. Gross risk is a separate and distinct concept. Gross risk can be eliminated, prevented, or reduced through a variety of risk treatments, whereas inherent risk cannot be eliminated at all. By way of example, the risk inherent in manufacturing, storing, transporting, and utilising dynamite cannot be eliminated. Consider that the intrinsic attribute of dynamite exploding, releasing a high level of energy following an extremely fast chemical reaction, cannot be eliminated although, where and when the explosion takes place can be controlled through the safe storage, transport, handling, and utilisation of the product.
ISO 31000 has no definition of inherent risk because ISO TC/262 has not been able to reach consensus amongst its experts for inclusion in the standard. However, not having an ISO definition does not make it correct to conflate the concept of ‘inherent risk’ with the concept of ‘level of risk’, which the ISO defines as the “magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood”[12].
When considering the ‘level of risk’ three perspectives are available to risk practitioners:
- Gross Risk is the level of risk before new treatment and assumes the failure of the main controls.
- Net Risk is the level of risk before new treatment and assumes that the existing controls are working efficiently and effectively.
- Residual Risk is the level of risk after new treatment and considers that the existing and the new controls are working efficiently and effectively.
So, what are risk professionals to do in light of there being no accepted definition of ‘inherent risk’ and a lot of confusion and poor practices?
I propose the following:
- Abandon the use of the term ‘inherent risk’ in your risk assessment unless there is some scientific validity that what you are assessing actually carries risk that is inherent due to the nature, activities, location, situation, or process concerned.
- Refer to the baseline screening level of risk with all controls removed as ‘gross risk.’
- Change your risk assessment equation to read Likelihood x Consequence = Level of RiskLet us work together to end the illogical and nonsensical use of the concept of inherent risk before it becomes immortalised in our profession.
References:
- Dr Gibson, Carl A, The nonsense of inherent risk, Executive Impact, July 2023
- Dali, A, The confusing concept of inherent risk, G31000, Geneva
Written by:
Walter Ehrlich CRM Prof.
Director: Retlaw Fox Associates (Pty) Ltd
Technical Lead: IRMSA Risk Intelligence Committee
[1] Dr Gibson, Carl A, The nonsense of inherent risk, Executive Impact, July 2023.
[2] Gibson, pg. 4
[3] Gibson, pg. 4
[4] Gibson, pg. 4
[5] Gibson, pg. 4
[6] Gibson, pg. 4
[7] Gibson, pg. 5[
8] Gibson, pg. 6
[9] Gibson, pg. 6
[10] COSO, 2017
[11] Dali, A, The confusing concept of inherent risk, pg. 5
[12] ISO Guide 73:2009 Risk Management Vocabulary.,