Inherent Risk minimize vs. reduce

Hello everyone,

Good luck to those taking the tests in December!

While preparing to the CRISC, I got to a point: can inherent risk be reduced?
I often can see statements like inherent risk is given and cannot be minimized. However, I did see the statement that if you let's say bring skilled resources to your project in order to execute some specific risk related job then inherent risk is reduced.
Being a non-native english speaker, I am trying to get if I'm lost in translation or if it's just an issue with phrasing? The latter statement was within the QAE database which means they must have validated it...
Any difference between minimize and reduce in this context?

Thank you!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

OctalDump

I think that you can reduce overall inherent risk by reducing use of those riskier components. So for example, a bank offering internet banking service with an EFT feature, they could reduce the inherent risk by not offering that service. If there's no EFT service, then it can't be abused. Or you could reduce inherent risk by using a simpler system that has fewer points of failure.

In the example you give, you replace the resource (a person) with one with less inherent risk - where the inherent risk is measured for that resource.

I think they try to make a distinction between reducing inherent risk in this way, and by using controls. The controls act on the inherent risk to lessen its impact or the probability of adverse event. Whereas this method means just doing something less risky.

RogueJD

I have to disagree with your analogy, Octal. The bank analogy is a demonstration of risk avoidance.

Potentially, a better analogy would be "A bank is considering offering EFT. There is inherent risk of utilizing the "Widget service" to facilitate our EFT. By using the more robust "Gadget" service, there is less inherent risk with the EFT project."

One can have less inherent risk, but only time risk reduction is in play is when you apply risk treatment. Inherent risk + risk treatment = residual risk.

Long story short: once you reduce inherent risk, it is no longer inherent. It is now residual risk.

cooldudevimal

Inherent Risk cant be reduced, as its default in a process. Only residual risk can be reduced further by implementing additional controls.

jcundiff

cooldudevimal wrote: »

Inherent Risk cant be reduced, as its default in a process. Only residual risk can be reduced further by implementing additional controls.

Inherent risk can in fact be reduced by controls, transference etc... which leaves you residual risk or the remaining risk from the initial inherent risk after controls have been put in place to reduce the risk

Resonate!

but there is also term "current risk" which is likely to be less than inherent risk considering some controls in place, isn't it?

thank you all for the great converation!

jcundiff

Resonate! wrote: »

but there is also term "current risk" which is likely to be less than inherent risk considering some controls in place, isn't it?

thank you all for the great converation!

"Current Risk" is just that... a snapshot of the current risk in an enterprise... could be inherent risk, if before controls/mitigation activities, or could be residual risk if after controls/mitigation activities have been applied

Clear as mud?

GoodBishop

I would say no, because inherent risk is defined as the risk without controls in place (simplifying, but you get the gist).

You can reduce the overall risk by putting in controls, leaving you with residual risk.