Modern risk management continues to evolve as organisations seek improved resilience, stronger governance, and clearer links between risk and strategy. Traditional concepts such as inherent risk and residual risk have long been used to describe exposure before and after controls. However, contemporary frameworks— acknowledge there is little value in considering risk without control as this is a unlikely situation. Modern frameworks including AS/NZS ISO 31000:2018, increasingly emphasise the importance of focusing on current risk. These concepts better reflect operational reality and support alignment with risk appetite and strategic objectives.
Introduction
As brokers, it’s important for you to be able to talk to your clients about risk. I am sure you’re often asked for advice about different risks in your client’s businesses. The use of inherent and residual risk in risk assessment processes has been common now for decades. Sure, it is a tool to help us understand the effectiveness of controls, but when we assess a theoretical risk without control when we will never experience that situation, for most businesses this is just a waste of time. We also see the guidance material such as AS/NZS ISO 31000:2018 evolving to focus more on residual risk, so Is Inherent Dead?
What is Inherent Risk?
Inherent risk represents the level of risk present in the absence of any controls. It describes the natural, untreated exposure arising from the characteristics of an activity, environment, or process. The COSO Framework uses inherent risk to describe the starting point before evaluating controls. The previous version of ISO31000, published in 2009, suggested the need to assess risk before and after application of controls, the latest version published in 2018 has moved away from this focusing instead on the risk level at time of assessment.
Although useful for understanding baseline vulnerability, inherent risk is primarily theoretical. In practice, processes almost never operate without some form of control—formal or informal, documented or cultural. For this reason, inherent risk often exaggerates exposure compared to real-world conditions.
What is Residual and Current Risk?
Residual risk refers to the level of risk after controls and treatments have been implemented. This reflects an organisation’s actual exposure today, factoring in how controls are designed and operated.
While AS/NZS ISO 31000:2018 does not formally define residual risk, it directs organisations to:
- Identify and understand existing controls,
- Assess their effectiveness, and
- Evaluate whether the remaining risk is acceptable within strategic and operational objectives.
Residual risk is therefore a more accurate measure for decision‑making and aligns closely with governance, assurance, and performance monitoring.
We find clients that are new to risk frameworks often struggle with the difference between inherent and residual risk and when this occurs, we use the term Current Risk. Pretty obvious, the risk level right now, with the existing controls in place.
Current risk can therefore be used interchangeably with residual risk. It reflects:
- The controls currently in place,
- Their real‑world effectiveness,
- Current operating conditions, and
- Behavioural and cultural influences.
Defining Target Risk—and Its Relationship to Risk Appetite
Target risk is the desired level of risk after additional controls or improvements are implemented. It represents what the organisation aims to achieve to ensure the risk sits comfortably within risk appetite. Risk Appetite is a well-accepted governance tool that is typically defined by a Board of an organisation and communicated to the business to define the acceptable level of risk within an organisation.
Target risk can be taken from the Board’s Risk Appetite and provides risk owners with clear direction on what they are aiming for. Target risk allows organisations to articulate:
- Whether more treatment is required,
- What level of control strength is appropriate,
- How much investment is justified,
- When a risk can be accepted.
In essence, target risk operationalises risk appetite into actionable change.
Integrating Current and Target Risk into the Insurance process
The concepts of current and target risk can readily be applied to the insurance process. Consider a client who is faced with a number of risk improvements, some of which require capital spend. The client may be looking at ways to justify this capital spend and implement these risk improvements over time. The current risk represents the risk level pre-risk improvements. The target risk represents post risk improvement implementation. The insured will almost certainly be asking you to quantify the improved insurance outcomes between the current state and what we could achieve when we hit the target risk level. The improved risk level presents to the insurer a better risk and the insurers should be looking to reward the insured through improved premiums.
Whilst I acknowledge this is a simplified analogy, what we can see is that by understanding where your clients current and target risk levels are you can support their risk management journey by aligning their insurance program and ensuring it ius appropriately adjusted as risk improvement is achieved.
Conclusion
Risk management continues to mature, moving beyond static categorisations toward more realistic, strategically aligned concepts. Inherent risk helps describe the theoretical baseline and is not particularly useful in practice. Residual (or Current) risk reflects real exposure. Target risk provides a forward‑looking measure that aligns actions with Risk Appetite, ensuring organisations focus on resources where they create the greatest value. By understanding your client’s current and target risk levels you will be well placed to communicate to insurers why your client is above their peers and should attract above average insurance outcomes.
For more information and enquiries, please contact us.
Recent Comments