Inherent Risk minimize vs. reduce

Resonate!Resonate! Member Posts: 23 ■■□□□□□□□□
Hello everyone,

Good luck to those taking the tests in December!

While preparing to the CRISC, I got to a point: can inherent risk be reduced?
I often can see statements like inherent risk is given and cannot be minimized. However, I did see the statement that if you let's say bring skilled resources to your project in order to execute some specific risk related job then inherent risk is reduced.
Being a non-native english speaker, I am trying to get if I'm lost in translation or if it's just an issue with phrasing? The latter statement was within the QAE database which means they must have validated it...
Any difference between minimize and reduce in this context?

Thank you!

Comments

  • OctalDumpOctalDump Member Posts: 1,722
    I think that you can reduce overall inherent risk by reducing use of those riskier components. So for example, a bank offering internet banking service with an EFT feature, they could reduce the inherent risk by not offering that service. If there's no EFT service, then it can't be abused. Or you could reduce inherent risk by using a simpler system that has fewer points of failure.

    In the example you give, you replace the resource (a person) with one with less inherent risk - where the inherent risk is measured for that resource.

    I think they try to make a distinction between reducing inherent risk in this way, and by using controls. The controls act on the inherent risk to lessen its impact or the probability of adverse event. Whereas this method means just doing something less risky.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • RogueJDRogueJD Member Posts: 46 ■■■□□□□□□□
    I have to disagree with your analogy, Octal. The bank analogy is a demonstration of risk avoidance.

    Potentially, a better analogy would be "A bank is considering offering EFT. There is inherent risk of utilizing the "Widget service" to facilitate our EFT. By using the more robust "Gadget" service, there is less inherent risk with the EFT project."

    One can have less inherent risk, but only time risk reduction is in play is when you apply risk treatment. Inherent risk + risk treatment = residual risk.

    Long story short: once you reduce inherent risk, it is no longer inherent. It is now residual risk.
  • cooldudevimalcooldudevimal Registered Users Posts: 4 ■□□□□□□□□□
    Inherent Risk cant be reduced, as its default in a process. Only residual risk can be reduced further by implementing additional controls.
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    Inherent Risk cant be reduced, as its default in a process. Only residual risk can be reduced further by implementing additional controls.

    Inherent risk can in fact be reduced by controls, transference etc... which leaves you residual risk or the remaining risk from the initial inherent risk after controls have been put in place to reduce the riskicon_rolleyes.gif
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • Resonate!Resonate! Member Posts: 23 ■■□□□□□□□□
    but there is also term "current risk" which is likely to be less than inherent risk considering some controls in place, isn't it?

    thank you all for the great converation!
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    Resonate! wrote: »
    but there is also term "current risk" which is likely to be less than inherent risk considering some controls in place, isn't it?

    thank you all for the great converation!

    "Current Risk" is just that... a snapshot of the current risk in an enterprise... could be inherent risk, if before controls/mitigation activities, or could be residual risk if after controls/mitigation activities have been applied

    Clear as mud? :D
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • GoodBishopGoodBishop Member Posts: 359 ■■■■□□□□□□
    I would say no, because inherent risk is defined as the risk without controls in place (simplifying, but you get the gist).

    You can reduce the overall risk by putting in controls, leaving you with residual risk.
Sign In or Register to comment.