Skip to main content

Understanding Residual Risk in Essential ERM

Residual risk scores are calculated based on inherent risk, control effectiveness, or direct user override.

N
Written by Nigel Groen
Updated over 3 weeks ago

Three Methods to Set Residual Risk

Essential ERM supports three ways to determine residual risk scores. Each method overrides the one above it:

1. Inherited from Inherent Risk

  • Users select Likelihood and Impact before considering controls

  • These are multiplied to calculate the Inherent Risk score

  • If no control effectiveness is selected, the system assumes there are no controls

  • In this case, Residual Risk = Inherent Risk

2. Using Control Effectiveness

  • Selecting a Control Effectiveness level will adjust:

    • Inherent Likelihood → Residual Likelihood

    • Inherent Impact → Residual Impact

  • Residual Risk = adjusted likelihood × adjusted impact

  • Adjustment levels are predefined but customizable by Admins in Configure Residual Risk

3. Override Residual Risk Directly

  • Click the “override” link under the residual risk score

  • Manually set Residual Likelihood and Residual Impact

  • These values will override the Control Effectiveness adjustments

  • Click “reset” to cancel the override and return to system-calculated values

Precedence of Methods

  1. Override (highest priority)

  2. Control Effectiveness

  3. Inherent Risk (default fallback)

Only one method is applied at a time, based on what the user has selected or configured.

Configuring for Direct Residual Risk Entry

If your organization uses only residual risk (and skips inherent risk), there are two ways to configure the system:

Option 1: Use Override Only

  • Leave Likelihood and Impact blank

  • Use the Override function to set residual values manually

  • Note: This will leave blank columns in the Enterprise Risk Console

Option 2: Set Adjustments to Zero in Admin

  • Go to Configure Residual Risk

  • Set all adjustments to 0

  • Users use dropdowns to set Residual Likelihood and Impact

  • Control Effectiveness becomes informational only

  • Inherent Risk will still appear but will equal Residual Risk (can be ignored in reports)

Most system reports display only residual risk, so the presence of duplicate inherent values will not affect reporting clarity.

Applies to: Admin Users, Standard Users

Keywords: residual risk, inherent risk, override, control effectiveness, risk scoring, configure residual risk, COSO, ISO 31000

Did this answer your question?