Inherent and Residual Risk: How Both Scores Drive Enterprise Risk Decisions

A commonly accepted definition of risk is: “The likelihood that a threat (or a threat agent) will exploit a given vulnerability, multiplied by the business impact of that exploit.” In information security, threats are typically broken down into the three categories of natural, facility or human, and the impacts are assessed against the confidentiality, integrity and availability of information assets. Organizations have been successfully implementing this formula to assess risk for years. What organizations struggle with is when to conduct this type of assessment, and how to use the results to make decisions to apply time, money and resources to reduce risk. From the perspective of information assets, the risk assessment approach I find to be the most effective is to assess risk in two ways:

  1. Assess the inherent risk of systems that store, process and/or transmit information assets prior to implementing any security measures, and
  2. Assess the residual risk of systems that store, process and/or transmit information assets after security measures have been implemented.

The first step is to assess the inherent risk. The inherent risk of a system is the risk that the system poses “out of the box,” without any people, process or technology controls in place. When assessing inherent risk, the following questions should be answered:

  1. What type of data is stored in this system? (Examples include Public, Sensitive and Confidential, and should be aligned with the organization’s data classification model.)
  2. How many data records are stored in this system? (Examples include ranges of numbers — 1-100, 101-500, etc.)
  3. Who can access the system? (Examples include employees, customers, public, etc.)
  4. How many users can access the system? (Examples include ranges of numbers — 1-100, 101-500, etc)
  5. By what means can users access this system? (Examples include intranet, Internet, workstation only, etc.)

The answers to the above questions should be used to generate a score for inherent risk. This can be either qualitative (high, medium, low, etc.) or quantitative (100, 50, 0, etc.), and the score calculation should be incorporated into an algorithm so that the scoring is repeatable for all systems assessed.

After the inherent risk score for a given system has been obtained, the next step is to determine the residual risk score. The residual risk of a system is the risk that remains after the people, process and technology security measures have been implemented. When assessing residual risk, the following questions should be answered:

  1. What are the controls required to be implemented for this system? (Examples include best practice control frameworks such as ISO 27002 and NIST 800-53, plus regulatory compliance requirements such as HIPAA, GLBA, SOX, PCI, etc.)
  2. What percentage of the required controls has been implemented? (This should be determined after a full risk assessment has been conducted.)

The answers to the above questions should be used to generate a score for residual risk. The percentage of compliance is a quantitative score than can be converted to a qualitative “effectiveness” rating. For example, a control implementation of 90% or higher may be considered “highly effective,” while a control implementation of 70% or lower may be considered “ineffective.” Subsequently, the combination of the inherent risk score of a system and its percentage of compliance with the implementation of required controls results in the residual risk score, as reflected in the chart below:

The residual risk score is a qualitative score that is more granular than inherent risk. Inherent risk is commonly assigned one of the three scores of high, medium or low, while residual risk is commonly broken out into five or more scores of high, medium-high, medium, medium-low and low. This granularity will highlight control implementation progress over time and better reflect the change in overall risk.

The residual risk score is what should be driving decisions regarding the allocation of time, money and resources to reduce risk. Representatives from the business and executive board in an organization should establish what the acceptable residual risk score is for each system, and they will be able to make informed decisions regarding risk remediation if they are able to understand both the inherent risk of a system and the residual risk of that same system as it is currently implemented in their environment.