All Collections
FAQs and Troubleshooting
Understanding Residual Risk
Understanding Residual Risk
D
Written by Daniel Mohammed
Updated over a week ago

There are three different ways that residual risk scores are set in the system:

1. Inherited from Inherent Risk - Users usually begin the risk assessment process in the Risk Details screen by selecting a value for the risk’s Likelihood and Impact (values before the effect of controls are considered). These two values are multiplied together by the system to generate the Inherent Risk score that is displayed on the screen. If no assessment of control effectiveness is made, then it is assumed that there are no controls in place and the residual impact and likelihood are deemed to be the same as the inherent values. The residual risk value calculated in this case will be the same as the inherent risk.

2. Using Control Effectiveness - when a Control Effectiveness value is selected in the Risk Details screen, it will adjust (i.e. lower) the Inherent Likelihood and Inherent Impact values to calculate Residual Likelihood and Residual Impact values. These values are displayed on the Risk Details screen under the Control Effectiveness selection and are multiplied together to generate the Residual Risk score. The adjustments that are made for each of the five Control Effectiveness selections are pre-defined for you, but your System Administrators can reconfigure these adjustments through the “Configure Residual Risk” setup screen. This method provides a fast and easy way for Users to set residual risk scores based on their assessment of control effectiveness.

3. Setting Residual Risk Directly Through Override - a User can click the “override” link under the residual risk score to directly set the Residual Impact and Residual Likelihood values. When this has been done, these values will be used to calculate the residual risk score directly and will override the value calculated through the Control Effectiveness selection described above. The override can be cancelled by selecting the “reset” link at the bottom of the residual risk section.

Note that these methods take precedence in the order described above, meaning that setting Control Effectiveness will take precedence over simple inheritance and Override will take precedence over setting through Control Effectiveness.

Separating inherent and residual risk is a best practice for most COSO and ISO 31000 based risk programs, however, if your organization sets residual risk directly and does not evaluate inherent risk, there are two easy ways to do this in the system:

1. Leave “Likelihood” and “Impact” values blank in the Risk Details screen and set the residual values directly through the override function described above in #3. This will work fine, but will result in blank columns in the Enterprise Risk Console screen.

2. In the “Configure Residual Risk” admin screen, set all the adjustments to 0. Your users can use the Likelihood and Impact drop downs in the Risk Details screen to set the residual risk values. Users can also select a value of control effectiveness for informational purposes, as these values will no longer be affecting the risk scores (accomplished by setting adjustments to 0). Residual risk scores will be automatically inherited and calculated as described in #1 above. Some Users find this approach easier than method A above and it allows for better utilization of the information displays on the Risk Details and Enterprise Risk Console screens. The only caveat with this approach is that Users will need to understand that the values of inherent risk that will still be displayed are to be ignored, as they are equivalent to the residual risk values. Most reports display only residual risk, so this will not be an issue for report consumers.

Did this answer your question?