Key Difference – Inherent Risk vs Control Risk
Inherent risk and control risk are two important terminologies in risk management. Business actions are subjected to various risks by nature that can reduce the positive effects they can bring to the organization. The key difference between inherent risk and control risk is that inherent risk is the raw or untreated risk, which is the natural level of risk intrinsic in a business activity or process without implementing any procedures to reduce the risk whereas control risk is the probability of loss resulting from the malfunction of internal control measures implemented to mitigate risks.
CONTENTS
1. Overview and Key Difference
2. What is Inherent Risk
3. What is Control Risk
4. Side by Side Comparison – Inherent Risk vs Control Risk
5. Summary
What is Inherent Risk?
Inherent risk is referred to as raw or untreated risk and is the natural level of risk intrinsic in a business activity or process without implementing any procedures to reduce the risk. In other words, this is the amount of risk before the applying any internal controls. Inherent risk is also referred to as the ‘gross risk’. Risks should be controlled by a number of internal control measures in order to mitigate them. Some examples of internal control measures are as follows.
Examples:
- Controlling access through door locks (for physical access) and through passwords (for online access)
- Segregation of duties to divide responsibility for recording, inspecting and auditing transactions to prevent a single employee committing a fraudulent act
- Accounting reconciliations to ensure that account balances match up with balances maintained by other entities including suppliers, customers, and financial institutions
- Assigning authority to specific managers to authorize transactions of significant value
Even after the required controls are implemented, there is no guarantee that the entire risk can be eliminated, thus a portion of the risk may remain. Such risk is referred to as ‘residual risk’ or ‘net risk’ as this remains after the implementation of controls.
Figure 01: Access control can be used to mitigate risks
What is Control Risk?
Control risk is the probability of loss resulting from the malfunction of internal control measures implemented to mitigate risks. Thus, control risks occur due to the limitations in the internal control system. If not subjected to periodic reviews, internal control systems lose their effectiveness over time. The internal control system in a company has to be reviewed annually and the controls should be updated.
Elements that Increase Control Risk
- Lack of segregation of duties
- Approval of documents without review by the designated managers
- Lack of verification of transactions
- Lack of transparent procedures to select suppliers
The type of control that should be implemented for each risk is decided based on two aspects.
- Likelihood/probability of risk – possibility of a risk being materialized
- Impact of risk – size of the financial loss if the risk materialize
Both likelihood and the impact of a risk may be high, medium or low. For a risk with high likelihood and impact, controls with high effect should be implemented. If not, it will be exposed to a high control risk.
E.g., GHI Company is an IT company that is currently engaged in a large-scale project for its most significant client for a value of $10m. Substantial penalties are payable if GHI fails to maintain any confidential data of the project; thus, the impact of a possible risk is very high. Further, due to the nature of the project, some parties may be tempted to obtain the confidential information and share with competitors of GHI, indicating a high probability of risk. Thus, it is vital to implement a number of controls such as access controls, segregation of duties and authorization controls to ensure successful completion of the project.
What is the difference between Inherent Risk and Control Risk?
Inherent Risk vs Control Risk |
|
| Inherent risk is the raw or untreated risk, i.e., the natural level of risk intrinsic in a business activity or process without implementing any procedures to reduce the risk. | Control risk is the probability of loss resulting from the malfunction of internal control measures implemented to mitigate risks. |
| Nature | |
| Inherent risk is inevitable in nature. | Control risk only arises in the absence of effective internal control measures. |
| Mitigation of Risks | |
| Inherent risk can be mitigated via implementation of internal controls. | Control risk can be mitigated via effective functioning of internal controls. |
Summary – Inherent Risk vs Control Risk
The difference between inherent risk and control risk is a distinct one where inherent risk arises due to the nature of the business transaction or operation while control risk is a result of the malfunction of internal control measures implemented to mitigate risks. Every business transaction is equipped with either high, medium or low risk that should be controlled via internal controls. Implementing an internal control system is not sufficient and periodic reviews should be in place for the continued success of such system to effectively identify and mitigate risks.
Reference:
1. “What Are the Seven Internal Control Procedures in Accounting?” Chron.com. Chron.com, 26 Oct. 2016. Web. 15 May 2017. <http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html>.
2. “Risk Impact/Probability Chart: Learning to Prioritize Risks.” Project Management from MindTools.com. N.p., n.d. Web. 15 May 2017. <https://www.mindtools.com/pages/article/newPPM_78.htm>.
3. “The 6 Fundamental Techniques of Risk Control.” Poms & Associates. N.p., 14 May 2014. Web. 15 May 2017. <http://www.pomsassoc.com/6-fundamental-techniques-risk-control/>.
Image Courtesy:
1. “Locksmiths-11211” By Locksmithwilli (CC0) via Commons Wikimedia