Inherent vs Residual Risks
Risks which exists ‘already’ before you address it is called Inherent Risk ; i.e., the risk to your company in the absence of any actions you might take to alter either the likelihood or impact. Every company in every
industry faces inherent risk; of course, not every company manages it
effectively or efficiently. Some examples for this are
- lack of management competence. Management competence refers to the competence of directors and other senior management personnel. It includes matters such as their:
- industry experience,
- knowledge of the entity’s business,
- commercial skills,
- common sense,
- knowledge of good corporate governance, and
- communication and judgement ability.
Auditors can assess management competence by speaking to directors individually as well as considering such factors as the number of years experience of each director in the industry, the number of years experience with the entity, and the extent of changes to management during the past several years.
- another example is the extent of significant and prolonged under staffing of the accounting department. Such understaffing could be indicative of management’s lack of interest in quality reporting, or even a positive interest in poor quality reporting.
Residual risk is also known as your “vulnerability” or “exposure”; .e., the risk that remains after you have attempted to mitigate the
inherent risk. Companies can only understand residual risk if they ave first addressed inherent risk. An example for this which could be unique to a company are strikes, the outcome of unfavorable litigation, or a natural catastrophe that can be eliminated through diversification.
