Step 01
Inherent
Likelihood × Impact
Score likelihood (1 to 5) and impact (1 to 5) on the documented scale. Multiply. The product, between 1 and 25, is the inherent score on a 5×5 matrix. Express in dollar terms for quantitative work.
Pillar guide · ~12 min read · Updated May 2026
Inherent vs residual risk
Inherent risk is the exposure before any controls are credited. Residual risk is what remains after the controls currently in place are applied. The working formula: Inherent (Likelihood × Impact) × Control Effectiveness = Residual. Every credible framework, ISO 31000, NIST 800-30, ISO 27005, COSO ERM, requires both numbers on the register and a defensible link between them.
- Reading level
- Practitioner
- Frameworks
- ISO · NIST · COSO
- Audits covered
- ISO 27001 · SOC 2 · SOX
- Last reviewed
- May 2026
01 · Definition
What is inherent risk?
Inherent risk is the exposure before any controls are credited. It is the raw threat against the asset, in its natural state, in the environment the organisation operates in. The score answers a simple question: if every internal control disappeared overnight, how bad would this risk be and how often would it land?
Inherent risk has two components. Likelihood, which is how often the loss event is expected to occur over the assessment horizon. Impact, which is what the consequence looks like if the event does land. Multiplied together on an ordinal scale (typically 5×5) or expressed as loss-event frequency multiplied by loss magnitude for quantitative work, the result is the inherent score.
Two conventions exist for what counts as a control. The strict interpretation, used by NIST SP 800-30 and ISO 27005, is that inherent ignores every control regardless of source. The pragmatic interpretation, used by many internal audit teams under COSO, takes the legal and physical environment as a given and excludes only the entity-specific controls. Whichever the methodology picks, it should be stated in the assessment scope so assessors stay calibrated and auditors do not get surprised.
Threat
The actor or condition that could cause harm: an adversary, a natural event, a process failure, a market shift.
Vulnerability
The weakness the threat exploits: an exposed service, an unsegmented network, an over-permissioned role, a missing reconciliation.
Consequence
What lands if the event lands: dollar loss, downtime, regulatory penalty, harm to people, lost opportunity, reputational damage.
02 · Definition
What is residual risk?
Residual risk is the exposure that remains after the controls currently in place are credited. It is the answer to a different question: given everything the organisation has actually built, tested, and is operating today, what level of loss should we still plan for? Residual is the number the board cares about most, because it describes the world the organisation actually lives in.
Residual sits on the same scale as inherent so the two numbers are directly comparable. The gap between them is the work the existing control stack is doing. If inherent is 20 and residual is 7, the controls are reducing exposure by 65%. If inherent is 20 and residual is 18, either the controls are not doing much, or they have never been tested, or the residual scoring is wrong.
Three residuals are worth tracking per risk on the register. Current residual is what the controls are delivering today. Target residual is what the active treatment is expected to deliver once the planned changes ship. Accepted residual is the level the named risk owner has signed off as tolerable. A risk sits inside appetite when current residual is at or below accepted residual; it sits in treatment when current is above and target is at or below.
“Residual risk is the risk remaining after risk treatment. Residual risk can contain unidentified risk. Residual risk can also be known as retained risk.”
03 · The formula
Inherent × Control Effectiveness = Residual
The relationship between the two scores is multiplicative, not additive. Controls do not subtract a fixed amount from the inherent number; they reduce it by a proportion that reflects how good those controls are and how well they have been tested.
Step 02
Control effectiveness
Σ (control weight × test result)
For each control credited against the risk, multiply its design weight by its operating-test result (0 to 1). Sum across controls. Cap the total at 1. The closer to 1, the more the control stack is doing.
Step 03
Residual
Inherent × (1 − CE)
Multiply the inherent score by one minus the control-effectiveness score. The result is the residual score, on the same 5×5 scale, directly comparable to inherent and to the appetite threshold.
The honest caveat
No qualitative formula is mathematically rigorous. A 5×5 matrix is an ordinal scale, not a ratio scale, so multiplying scores is a convention rather than a measurement. For the top 10 to 20 risks where investment trade-offs are real, run a FAIR or Monte Carlo analysis in parallel and reconcile the two views on the dashboard. The qualitative formula remains the right tool for breadth across the full register.
04 · Worked example
One risk, end to end
A single risk walked through the full assessment. Ransomware against a production SaaS tenant, scored on the 5×5 matrix, with controls credited and residual derived. The same pattern applies to operational, financial, or compliance risks; only the controls and the loss model change.
- Step 01
Risk statement
Ransomware actor encrypts the production SaaS tenant, extorts payment, threatens public leak of customer data. Threat is external organised crime; vulnerability is exposed RDP plus unsegmented backups; consequence is 5 to 14 days of unavailability and a notifiable data breach across 4 jurisdictions.
- Step 02
Inherent likelihood
Score 4 of 5 (High). Industry base rate for SaaS providers of this size sits at roughly 1 in 6 organisations affected per year across the most-recent vendor reports; no control credit applied at this step.
- Step 03
Inherent impact
Score 5 of 5 (Severe). Modelled loss includes 9 days of revenue loss, customer-notification cost across GDPR + state laws, regulator fines, professional response fees, and reputational churn. Inherent loss range modelled at 4.1M to 9.8M USD on a single event.
- Step 04
Inherent score
4 × 5 = 20. Sits in the top-right cell of the 5×5 matrix. Well above the documented enterprise risk appetite of 12 for cyber-availability events. Flagged for treatment, no acceptance option.
- Step 05
Control inventory
Six controls in scope: MFA on all admin paths, EDR on every endpoint, immutable backups with 30-minute RPO, network segmentation between production and corporate, monthly tabletop with the incident response team, and cyber-insurance with sub-limits for extortion. Each control has a test result from the last 90 days.
- Step 06
Control effectiveness
Weighted score of the six controls comes out at 0.35. Preventative controls (MFA, segmentation) tested clean. Detective controls (EDR, tabletop) had partial findings: 4 of 21 endpoints out of policy at the most recent scan. Recovery controls (backups, insurance) are strong. The 0.35 multiplier means the control stack reduces inherent exposure by 65%.
- Step 07
Residual score
20 × 0.35 = 7. Residual likelihood drops to 3 (Moderate); residual impact drops to 3 (Moderate) because backups bound the unavailability window. Residual cell sits inside appetite, but only just. Target residual is 5 once the endpoint-policy gap is closed.
- Step 08
Treatment plan
Close the EDR-coverage gap on the 4 out-of-policy endpoints by month-end. Add SSO-enforced break-glass account audit on the four admin paths. Rerun the tabletop with the recovery sub-team. Owner: CISO. Review date: 90 days. Expected post-treatment residual: 5. Once delivered, residual moves from accepted-with-watch to accepted.
| Stage | Likelihood | Impact | Score (1-25) | Appetite (12) |
|---|---|---|---|---|
| Inherent | 4 (Likely) | 5 (Severe) | 20 | Above appetite |
| Current residual | 3 (Possible) | 3 (Moderate) | 9 (CE 0.55) | At appetite |
| Target residual | 2 (Unlikely) | 2 (Minor-Moderate) | 5 | Inside appetite |
05 · Scoring scales
How to score each
The 5×5 ordinal matrix is the default for qualitative work across ISO 27005, NIST 800-30, and OCTAVE Allegro. Below are the calibrated scale anchors used on most enterprise registers; tune the impact bands to your own materiality.
Likelihood scale
- 1Rare. Less than 1 in 100 chance over the assessment horizon.
- 2Unlikely. 1 in 100 to 1 in 20 over the horizon.
- 3Possible. 1 in 20 to 1 in 5 over the horizon.
- 4Likely. 1 in 5 to 1 in 2 over the horizon.
- 5Almost certain. Greater than 1 in 2 over the horizon, or expected during the year.
Impact scale (USD)
- 1Negligible. Under 10K USD loss; no regulatory or customer-facing consequence.
- 2Minor. 10K to 100K USD; localised disruption; no notifiable event.
- 3Moderate. 100K to 1M USD; notifiable to one regulator; customer-perceived.
- 4Major. 1M to 10M USD; multi-jurisdiction notification; board reporting.
- 5Severe. Over 10M USD or existential; sustained brand harm; potential criminal exposure.
Qualitative (5×5)
Score likelihood and impact on the 1 to 5 anchors above. Multiply for the inherent score. Apply the control-effectiveness multiplier from the tested control stack. Plot inherent and residual on the heat map. Fast, defensible, and good enough for the bulk of the register.
- Default for ISO 27005, NIST 800-30, OCTAVE Allegro
- Calibrate assessors with the same anchor table
- Document the score rationale in the register row
Quantitative (FAIR)
Express inherent as Loss Event Frequency × Loss Magnitude in dollars. Decompose loss magnitude into primary and secondary buckets. Apply control-effectiveness as a distribution rather than a point estimate. Run a Monte Carlo to produce a loss-exceedance curve for both inherent and residual.
- Use for the top 10 to 20 risks the board names
- FAIR is the Open Group standard; reconciles with COSO
- Outputs annualised loss expectancy and curve shape
06 · Pitfalls
Common pitfalls
Six failure modes that audit teams flag every cycle. Each one breaks the relationship between inherent and residual in a way that undermines the register's defensibility.
Scoring inflation on inherent risk
Assessors push every inherent score to 4 or 5 so the residual gap looks impressive after controls are credited. This is the most common audit finding. Anchor inherent scoring to industry base rates and to a published modelled-loss table per impact tier, not to feel.
Control overconfidence on residual
Crediting controls that have not been tested in the last year, or crediting designed-only controls that have never operated, breaks the residual number. ISO 27001 Clause 6.1.3, SOC 2 CC4.1, and SOX both require an operating-effectiveness test before a control reduces residual exposure.
One control credited against many risks
Mature programmes keep a control-to-risk mapping and weight each control by its real contribution to that specific risk. A monthly access review reduces insider misuse more than it reduces ransomware. Crediting the full control twice is double-counting.
Confusing target residual with current residual
Target residual is what the planned treatment is expected to deliver. Current residual is what existing controls already deliver. Boards want both numbers, plus the gap between them and the deadline that closes it. The register row should hold all three.
Stale residual scores
A residual score is a point-in-time number. The moment a control test fails, an incident lands, or a new vulnerability is disclosed, the residual on every affected risk has moved. Programmes that re-score residuals annually are reporting last year's exposure to this year's board.
Ignoring secondary loss
Inherent and residual analysis that stops at primary loss (revenue, fines, response cost) misses the secondary tail: customer churn, partner attrition, premium increases, talent loss. FAIR splits primary and secondary explicitly. A qualitative assessment should at least name the secondary categories in the impact rationale.
07 · Compliance audits
Inherent and residual in compliance audits
ISO 27001, SOC 2, and SOX all require the two-step view. Each clause asks a slightly different question, and the assessor evidence each one wants looks slightly different. Below is the practitioner shorthand.
ISO 27001:2022
Clause 6.1.2 and 6.1.3 + Annex A
Risk assessment must produce both before-control (inherent) and after-control (residual) views. Residual risks above the documented acceptance criteria must be treated, transferred, avoided, or accepted with documented approval. Annex A control selection must be justified against the residual.
What the auditor asks
Show the inherent score, the controls credited, the residual score, and the risk-owner sign-off for any risk above appetite. Show the Statement of Applicability justification linking residuals to Annex A.
Run on RiskWatchSOC 2 (AICPA TSC)
Criterion CC3.2, CC3.4, CC4.1
The entity identifies risks (inherent), analyses them, selects and develops control activities, and tests operating effectiveness so the residual exposure is within the entity's risk tolerance. CC4.1 specifically demands the operating-effectiveness test that lets a control reduce residual.
What the auditor asks
Walk through one risk: how was inherent likelihood and impact derived; which controls are credited; what was the test population; what was the deviation rate; what is the residual conclusion. Repeat for a sample.
Run on RiskWatchSOX / PCAOB AS 2201
Risk-of-material-misstatement assessment
External auditors evaluate inherent risk for each significant account and assertion, then test controls to conclude on residual risk. Higher inherent risk drives a larger sample, more rigorous testing, and tighter materiality. The COSO 2013 internal-control framework is the reference cited.
What the auditor asks
Document inherent risk per significant account, the controls relied upon, the test results, and the conclusion on residual control risk. Reconcile to the materiality and sample-size decisions.
Run on RiskWatchThe three frameworks agree on one thing the practitioner often forgets: a control reduces residual only after it has been tested for operating effectiveness in the assessment period. Design-only credit is the single most common audit finding on residual scoring across all three regimes. Keep the test evidence in the same record as the control, link both to the risk, and the audit conversation shortens by hours.
08 · Risk register
How to track both in a risk register
Every credible risk register holds three score columns and the controls that link them. Below is the minimum field set that survives an external audit and a board review.
Risk statement
One-sentence threat-vulnerability-consequence pattern. Avoids generic labels like cyber risk; names the specific event.
Owner + category
Named risk owner from the business plus the primary category (operational, cyber, financial, strategic, compliance, physical).
Inherent score
Likelihood × Impact on the documented scale, with a short rationale paragraph anchored to the scoring criteria.
Controls credited
The specific controls reducing this risk, each with a design weight and the most-recent operating-test result.
Control effectiveness
The weighted multiplier (0 to 1) derived from the credited controls and their tests; the link between inherent and residual.
Current residual
Inherent × (1 − Control Effectiveness). On the same scale as inherent so the gap reads directly.
Treatment + target
Treatment decision (accept, treat, transfer, avoid), the named action, the owner, the deadline, and the expected target residual.
Review + status
Next review date, current status (in-treatment, accepted, breached, retired), and the audit trail of score changes.
A spreadsheet works for the first cycle. The pattern breaks the moment the programme adds a second framework, a third assessor, or a fourth business unit, because the same controls get credited against the same risks in three different files and the cross-mapping has to live in a human's head. A platform centralises the control library, links it to the register, runs the formula for every row, and produces the audit pack without a manual rebuild every quarter.
Primary references
Where the definitions come from
Every term on this page traces to one of the seven primary sources below. Direct links so the reader can verify the clause and the wording themselves.
- COSO Enterprise Risk Management Framework (2017)Committee of Sponsoring Organizations of the Treadway Commission
- ISO 31000:2018 Risk management guidelinesInternational Organization for Standardization
- NIST SP 800-30 Rev. 1 Guide for Conducting Risk AssessmentsNIST Computer Security Resource Center
- ISO/IEC 27005:2022 Information security risk managementInternational Organization for Standardization
- IIA Three Lines Model (2020 refresh)Institute of Internal Auditors
- AICPA AU-C 315 Understanding the Entity and Assessing RisksAmerican Institute of CPAs
- PCAOB AS 2201 Audit of Internal Control Over Financial ReportingPublic Company Accounting Oversight Board
09 · Frequently asked
Inherent and residual, answered
Ten questions that come up on the way to a working register, with practitioner answers.
What is the difference between inherent and residual risk?
Inherent risk is the exposure before controls are credited: the raw threat against the asset. Residual risk is the exposure that remains after the controls currently in place are credited. The gap between the two is the work the existing controls are doing. The gap between current residual and target residual is the work the planned treatment still owes.
What is the formula for residual risk?
The working formula is Residual = Inherent × (1 − Control Effectiveness), often expressed as Inherent × Control Effectiveness Multiplier where the multiplier sits between 0 (perfect controls) and 1 (no controls). Inherent itself is Likelihood × Impact. Control effectiveness comes from the weighted score of the controls credited against that risk, where each control's weight reflects its design and its operating-test result.
Should inherent risk ignore all controls or just the new ones?
Practice splits two ways. The strict view (NIST 800-30, ISO 27005) is that inherent ignores every control, internal and external. The pragmatic view (used by many internal audit teams under COSO) is that inherent reflects the gross exposure assuming the legal and physical environment but no entity-specific controls. Whichever you pick, document it in the methodology so assessors are calibrated and auditors are not surprised.
How do I measure control effectiveness?
Control effectiveness combines design adequacy (does the control, if it operates as described, reduce the risk?) and operating effectiveness (does the control actually operate that way today?). Design is judged against the framework or threat model. Operating effectiveness comes from a test: re-perform the control on a sample, count exceptions, calculate the deviation rate. Weighted across the controls credited against a risk, the result is a multiplier between 0 and 1.
What is acceptable residual risk?
Acceptable residual is defined by the organisation's documented risk appetite. Appetite is set at board level, usually as qualitative statements per risk category (low for regulatory, moderate for operational, higher for innovation) and translated to quantitative thresholds where the data exists. Any residual above the threshold needs treatment or formal acceptance by a named owner. Without a documented appetite, residual is just a number with no decision criterion.
Can residual risk be higher than inherent risk?
No, by definition. If the controls were working in the right direction, residual is less than or equal to inherent. If a residual score is coming out higher, the model is wrong: either a control is making the risk worse (rare, but check), or the residual is being scored against a different scenario than the inherent, which is a methodology break. Audit teams flag this every time it appears.
How often should residual risk be re-scored?
Re-score residual quarterly for the top quartile of risks and at least annually for the full register. Trigger an immediate re-score on three events: a control test fails, a relevant incident lands, or a material change is made to the environment (new system, new vendor, new regulation). Programmes that wait for the annual cycle are reporting stale residuals to the board.
Is inherent risk the same as gross risk?
In most practitioner usage, yes. Internal audit and accounting literature often uses the term gross risk to mean exposure before mitigation, which is identical to the inherent-risk definition under ISO 31000, NIST 800-30, and COSO ERM. Net risk is the same as residual risk. Be alert to one nuance: some financial-services rulebooks use gross to mean before insurance, not before all controls.
Do I need to score inherent risk if I already track residual?
Yes, and most credible frameworks now require it. Without an inherent score, you cannot demonstrate that controls are doing useful work, you cannot prioritise treatment investment, and you cannot defend the residual conclusion in audit. The two-step view (inherent then residual) is what makes the assessment a defensible analytical product rather than a single subjective number.
How does inherent vs residual show up in a board pack?
The dashboard shows three numbers per top risk: inherent (where exposure would sit without controls), current residual (where it sits today), and target residual (where the active treatment is expected to take it, with deadline). The trend on residual over the last four quarters and the percentage of risks within appetite complete the view. Boards do not want a heat-map dump; they want the delta and the trajectory.
Want the full pillar? Read the risk assessment guide for the 5-step process the inherent + residual model sits inside.
From scoring formula to a running register
See inherent + residual scored on every risk, with controls linked.
RiskWatch ships a global register that holds inherent, current residual, target residual, and the control-effectiveness math behind every row. Linked to the control library, the assessment engine, and the board pack. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime