Inherent Risk
What is Inherent Risk?
Inherent RiskThe level of risk that exists in an activity or asset before any controls or mitigations are applied, reflecting raw exposure to threats.
Inherent risk is the starting point of risk analysis: the likelihood and impact of a threat scenario assuming no controls are in place. It helps stakeholders understand the natural exposure of a business activity (for example, accepting card payments online or holding regulated health data) and compare it across portfolios. Risk practitioners use inherent risk to size control efforts and to evaluate whether the design and operation of existing controls bring residual risk below appetite. Frameworks such as ISO/IEC 27005 and COSO ERM explicitly distinguish inherent from residual risk to avoid the trap of crediting controls in two places.
● Examples
- 01
Inherent risk of holding millions of payment cards in a high-traffic e-commerce platform.
- 02
Inherent risk of operating critical infrastructure exposed to nation-state actors.
● Frequently asked questions
What is Inherent Risk?
The level of risk that exists in an activity or asset before any controls or mitigations are applied, reflecting raw exposure to threats. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Inherent Risk mean?
The level of risk that exists in an activity or asset before any controls or mitigations are applied, reflecting raw exposure to threats.
How does Inherent Risk work?
Inherent risk is the starting point of risk analysis: the likelihood and impact of a threat scenario assuming no controls are in place. It helps stakeholders understand the natural exposure of a business activity (for example, accepting card payments online or holding regulated health data) and compare it across portfolios. Risk practitioners use inherent risk to size control efforts and to evaluate whether the design and operation of existing controls bring residual risk below appetite. Frameworks such as ISO/IEC 27005 and COSO ERM explicitly distinguish inherent from residual risk to avoid the trap of crediting controls in two places.
How do you defend against Inherent Risk?
Defences for Inherent Risk typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Inherent Risk?
Common alternative names include: Gross risk, Pre-control risk.
● Related terms
- compliance№ 923
Residual Risk
The risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
- compliance№ 935
Risk Assessment
A structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 937
Risk Register
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
- compliance№ 888
Qualitative Risk Analysis
A risk analysis approach that rates likelihood and impact using descriptive scales such as low/medium/high or 1-5, rather than monetary or probabilistic values.
- compliance№ 889
Quantitative Risk Analysis
A risk analysis approach that expresses likelihood and impact in numbers, typically as probabilities and monetary loss distributions, to support data-driven decisions.