Modern risk management continues to evolve as organisations seek improved resilience, stronger governance, and clearer links between risk and strategy. Traditional concepts such as inherent risk and residual risk have long been used to describe exposure before and after controls. However, contemporary frameworks— acknowledge there is little value in considering risk without control as this is an unlikely situation. Modern frameworks including AS/NZS ISO 31000:2018, increasingly emphasise the importance of focusing on current risk. These concepts better reflect operational reality and support alignment with risk appetite and strategic objectives.
Introduction
We’ve helped literally hundreds of clients with risk assessments. At an enterprise level or at an operational level, the concepts largely are the same. The use of inherent and residual risk has always been a strange concept to me. Sure, it is a tool to help us understand the effectiveness of controls, but what point is there in assessing risk without control when we will never experience that situation? We also see the guidance material such as AS/NZS ISO 31000:2018 evolving to focus more on residual risk, so Is Inherent Dead?
What is Inherent Risk?
Inherent risk represents the level of risk present in the absence of any controls. It describes the natural, untreated exposure arising from the characteristics of an activity, environment, or process. The COSO Framework uses inherent risk to describe the starting point before evaluating controls. The previous version of ISO31000, published in 2009, suggested the need to assess risk before and after application of controls, the latest version published in 2018 has moved away from this focusing instead on the risk level at time of assessment.
Although useful for understanding baseline vulnerability, inherent risk is primarily theoretical. In practice, processes almost never operate without some form of control—formal or informal, documented or cultural. For this reason, inherent risk often exaggerates exposure compared to real-world conditions.
What is Residual and Current Risk?
Residual risk refers to the level of risk after controls and treatments have been implemented. This reflects an organisation’s actual exposure today, factoring in how controls are designed and operated.
While AS/NZS ISO 31000:2018 does not formally define residual risk, it directs organisations to:
- Identify and understand existing controls,
- Assess their effectiveness, and
- Evaluate whether the remaining risk is acceptable within strategic and operational objectives.
Residual risk is therefore a more accurate measure for decision‑making and aligns closely with governance, assurance, and performance monitoring.
We find clients that are new to risk frameworks often struggle with the difference between inherent and residual risk and when this occurs, we use the term Current Risk. Pretty obvious, the risk level right now, with the existing controls in place.
Current risk can therefore be used interchangeably with residual risk. It reflects:
- The controls currently in place,
- Their real‑world effectiveness,
- Current operating conditions, and
- Behavioural and cultural influences.
Defining Target Risk — and Its Relationship to Risk Appetite
Target risk is the desired level of risk after additional controls or improvements are implemented. It represents what the organisation aims to achieve to ensure the risk sits comfortably within risk appetite. Risk Appetite is a well-accepted governance tool that is typically defined by a Board of an organisation and communicated to the business to define the acceptable level of risk within an organisation.
Target risk can be taken from the Board’s Risk Appetite and provides risk owners with clear direction on what they are aiming for. Target risk allows organisations to articulate:
- Whether more treatment is required,
- What level of control strength is appropriate,
- How much investment is justified,
- When a risk can be accepted.
In essence, target risk operationalises risk appetite into actionable change.
Integrating Current Risk and Target Risk into Practice
Implementing current risk is relatively straightforward; simply stop assessing inherent risk. As we have stated above, it adds no value. Your risk process will be focused on current, whether it’s called residual or current risk doesn’t matter; it focuses attention on the present situation.
This can be easier said than done. As we know, people inherently don’t like change. Experienced Board members may be used to seeing their risk registers in a certain way and may object if inherent is removed. We need to explain the change and seek endorsement from our stakeholders before we adjust our approach.
Implementing target risk will depend on where you’re currently at on your risk journey. If you’ve documented your risk appetite, the concept of target risk will be relatively straightforward. Adjust the terminology accordingly to provide this forward-looking aspect to your risk process.
Conclusion
Risk management continues to mature, moving beyond static categorisations toward more realistic, strategically aligned concepts. Inherent risk helps describe the theoretical baseline and is not particularly useful in practice. Residual (or Current) risk reflects real exposure. Target risk provides a forward‑looking measure that aligns actions with Risk Appetite, ensuring organisations focus on resources where they create the greatest value.
Contact us for more information and enquiries.