Risk and audit professionals widely subscribe to the idea that it is possible to assess the level of risk exposure related to an activity, project or situation without considering controls or mitigation efforts. This is the more popular definition of inherent risk[1][2].
The other, less accepted definition speaks to the idea that there are qualities of an item, activity, project, situation, etc. that create an element of intrinsic danger. [3][4].
Inherent risk in this context would speak to the fact that dynamite explodes, food spoils over time, cash attracts thieves and predators attack. I believe there is utility in this specific understanding as it has merit particularly in the safety domains (e.g. occupational, food, product).
As for the first definition, the one which asks us to assess risk by pretending controls do not exist, I find it to be fundamentally flawed.
Some argue that the concept helps us to imagine worst-case scenarios, determine which controls to implement, measure how much risk those controls reduce and evaluate if controls are right-sized or excessive.
Staunch defenders of inherent risk make the claim that it is more than a theoretical concept and put significant effort into convincing themselves and others, that inherent risk has practical value.
I disagree.
In practice, inherent risk is largely analytical theater.
It focuses on fantasy scenarios, assumes a binary world where controls are either perfect or nonexistent, ignores better ways to understand exposure, and oversimplifies risk to the point where the outputs are performative.
Contents
The fixation on improbable scenarios
Most inherent risk examples depend on scenarios that do not stand up well to scrutiny given how improbable they are. Below I focus on two that I find to be illustrative. That said, any number of examples could have been used as the key flaws are common.
The car with no brakes
This common example is usually put forward as a thought experiment to rationalize inherent risk: imagine a car with no brakes, no airbags, no seat belts, etc.
I find the scenario absurd.
Cars without brakes cannot legally be built, sold, or insured. The same is true for other mandatory safety features. Even if by some stretch this scenario were plausible, consumers would not buy vehicles that were not designed with safety in mind. Pretending otherwise is fantasy.
Given that fact, defenders often pivot, saying the point isn’t to pretend controls don’t exist. We are told the scenario helps us to understand the impact of a simultaneous, total failure of all safety systems.
For me, that defense doesn’t hold up.
The total failure of multiple, independent safety systems in a modern car is an extreme tail-end scenario, with odds so close to zero that is has no practical value.
More importantly, it also relies on the flawed idea that controls operate in a binary “on/off” state.
In reality, controls degrade, partially fail, or behave inconsistently under specific conditions. The presence of multiple independent controls also create constraints that limit failure modes. It is not possible to simply strip these out and pretend we are producing meaningful insight.
Therefore, scenarios like the “car with no brakes” are not just impossible, they are patently cartoonish. They tell us nothing about how risk materializes in real systems.
The car with no brakes
The cash intensive careless business
Another fantasy scenario that often pops up imagines a cash-heavy business moving large sums daily with no oversight, no documentation, no reconciliations, and no loss-prevention.
This is just as implausible.
The fact is, even the most informal operator has a strong incentive to implement minimal checks. They need to know if the business is profitable and whether cash is being stolen. No rational owner is indifferent to where their daily revenue goes.
On top of that, banks require deposit trails and tax authorities monitor revenue discrepancies. As with many scenarios, the work and interests of external forces acts to impose basic accountability.
Nonetheless, defenders attempt to justify the use of inherent risk based on the claim that it helps in assessing full exposure.
The problem with this thinking, and I explore further below, is that to understand loss exposure or evaluate cash-handling controls, there are far better approaches and tools.
As with the car example, this scenario collapses under any rational test and only shows the inability of inherent risk to meaningfully inform risk strategy.
The binary failure mode assumption
The most common use of inherent risk involves making a comparison against residual risk to draw a conclusion on control effectiveness. If inherent risk is “high” and residual risk is “medium,” the conclusion is that controls reduced exposure.
My issue with this approach, is that it assumes controls operate in a binary state, where they are either fully present and functional, or completely absent and failed.
This is not how controls behave.
They degrade over time, partially fail under specific conditions, and oscillate between varying states (full, partial or no effectiveness).
If we use our car with no brakes example, a braking system seldom goes from perfect operation to total instantaneous failure. Most braking components (e.g. pads, rotors, and fluid) wear down or degrade over time. This results in a gradual reduction in stopping performance, and while a total failure is not impossible, it would represent a catastrophic braking system failure.
If we consider a more business oriented example, cash reconciliations do not collapse overnight. The deteriorate slowly often evidenced by a backlog of unreconciled items, increased write-offs, delayed period end financial close, etc.
And this further underscores that the “no controls” premise forces the imagining of systems that do not exist in practice.
To make inherent risk work, we are being asked to adopt a worldview where controls can be fully removed in a way that real systems simply do not allow.
The underestimation of multi-loss scenarios
The core flaw of inherent risk compounds when a single event triggers multiple distinct loss types, which is common in business. The issue is exacerbated when those losses have little to no relationship to the controls inherent risk assessments would have us remove.
We can start with a building fire at a manufacturing facility.
The inherent risk assessment might imagine the building with no sprinklers, alarms, suppression systems or emergency response. If our concern is pure asset replacement, this might be marginally useful.
But when we consider other losses, the “no controls” framing falls apart.
Productivity losses are driven by headcount, pay rates, outage duration, the ability to reassign staff and remote work capacity. Whether fire suppression controls have failed or not, has virtually no bearing on these factors.
Sales losses are driven by access to alternate manufacturing sites, existing inventory at other locations, logistics, and contractual penalties. Fire suppression does not determine whether orders can be fulfilled.
Legal/regulatory exposure is driven by quality of counsel, regulatory relationships, safety culture, political capital, and compliance history. Fire prevention controls may have some impact but do not meaningfully influence these factors.
In essence, the flaw with inherent risk isn’t merely its inability to handle multiple loss types, but the core problem of applying the “no controls” premise uniformly.
Modelling realistic loss scenarios requires us to appreciate the factors that influence loss frequency and magnitude and understand the specific drivers relevant to each distinct loss type.
Imagining a universal absence of controls rarely applies outside of pure physical asset loss, and as a result it generates meaningless loss outputs primarily driven by unrelated factors.
Better ways to express what is at stake
But if the goal of inherent risk assessment is to understand what is at stake, we already have far better tools.
For physical assets, professional valuations exist. If a building can burn, a property appraisal can inform the replacement exposure. Even outside of appraisals, as is seen in the art industry, the market can inform the pricing of an asset (e.g. past auction prices or bid values for an upcoming sale)
The same logic, relying on mature, tested methodologies, applies across other business exposures:
- Market capitalization captures what’s at stake for reputation events at public companies.
- Annual contract renewals express what’s at stake for client-facing operational failures.
- Monthly revenue measures exposure for outages and business interruption events.
- Credit ratings capture financial stability exposure and financial reporting failures.
These measures are undeniably intuitive for business stakeholders, directly inform control investment decisions, and they do not require mystifying simple concepts.
Final Thoughts
The core problem with inherent risk, as commonly defined, is simple: it asks us to imagine worlds that cannot exist and then it attempts to treat the output as decision-quality analysis. As risk professionals, the work we do loses credibility when it relies on abstractions that collapse under scrutiny.
The risk management profession has always been at its strongest when its methods were anchored to real systems, economics, incentives, failure modes, and consequences. The “no controls” premise offers none of that. It distracts from the better tools, better proxies, and better approaches that are already sitting in front of us.
Despite the popularity of the inherent risk concept, we don’t need it to understand what is at stake. We would benefit much more from clearer scenarios, better decomposition of losses, and metrics tied to how businesses actually function. If we stop treating inherent risk as a sacred doctrine, maybe we can finally make space for methods that actually help organizations make informed choices.
References
- https://csrc.nist.gov/glossary/term/inherent_risk ↩︎
- https://pcaobus.org/oversight/standards/auditing-standards/details/AS1101 ↩︎
- https://www.irmsa.org.za/communications/inherent-risk-are-we-perpetuating-nonsense ↩︎
- https://www.linkedin.com/pulse/concept-inherent-risk-has-changed-alex-dali-mba-arm-fxtkc/ ↩︎
Leave a Reply