The Nonsense of Inherent Risk

The nonsense of inherent risk
An occasional series of papers aimed at challenging

contemporary thinking and advancing improvement in the
various disciplines engaged in the management of risk.
Dr Carl A. Gibson
July 2023
1
Part One of the ‘Tackling Problems in the Management of Risk Series’
Copyright no,ce
The owner of the copyright for this publica5on: ‘The Nonsense of Inherent Risk’ (herea>er referred to as “the
Paper”) is held by Execu5ve Impact Consul5ng PTY LTD (herea>er referred to as Execu5ve Impact) as the
publisher of the imprint ‘Execu5ve Impact Publishing’. The moral rights of the authors have been asserted. The
author(s) retains full ownership of the intellectual property and other natural rights.
Users may view, search and review “the Paper” online, and may store and print a single copy of “Paper” for
personal (non-commercial use).
Unless specifically given wriQen permission by Execu5ve Impact, a person or organisa5on accessing or using the
“Paper” may not:
• Download, store or print mul5ple copies of “The Paper”, except where this is expressly approved by the
author or authorised officer of Execu5ve Impact.
• Distribute a copy of the ““The Paper””, or any part thereof, electronically or by any other means.
• Publicly display any part of ““The Paper”, including to any group of persons aQending any event,
whether restricted (or not) by any registra5on, payment of fees or membership, without permission in
wri5ng from an authorised officer of Execu5ve Impact.
• Extract, copy, adapt, reproduce, or modify any part of ““The Paper””, without permission in wri5ng from
an authorised officer of Execu5ve Impact.
Any permiQed use must display a clear and conspicuous aQribu5on of the original work or source of the content.
You may not apply any legal terms in your use of the copyright materials that prevents or alters others from
exercising their rights as allowed by Execu5ve Impact’s copyright no5ce or wriQen permission.
WriQen permission may be sought by contac5ng the publisher at:

info@execu5veimpact.com.au
No,ce
Limit of liability / Disclaimer of warranty
No warran5es are implied or given by the publica5on of “The Paper” or separately by Execu5ve Impact
Publishing, Execu5ve Impact Consul5ng Pty Ltd, or the Author. While the publisher and author have used their
best efforts in preparing “the Paper”, they make no representa5on or warran5es with respect to the accuracy or
completeness of its contents, specifically disclaim any implied warran5es of merchantability or fitness for a
par5cular purpose. No warranty may be created or extended by sales representa5ves or wriQen sales material.
Published materials in “the Paper” are derived from the research work of the Author and as such may be subject
to future revision or retrac5on, and may not be suitable for your (the reader’s) situa5on. You shall be liable for
any loss of profit or other damages arising from any use, interpreta5on, or applica5on of “the Paper”, including
but not limited to direct, special, incidental, consequen5al or other damages.
2
Contents
Abstract 4
Background 4
The point of argument 6
The origins of the ‘inherent risk’ concept 7
The start of ‘inherent risk’ assessment 9
The introducFon of ‘inherent risk’ into risk management 10
Is the ‘inherent risk’ concept a bad idea? 11
Introducing more unnecessary uncertainty 12
AKempts to sustain the ‘inherent risk’ concept 18
The fantasy of ‘inherent risk’ 17
A poor modelling approach 19
Other arguments supporFng ‘inherent risk’ 22
Can the ‘inherent risk’ concept ever be useful? 22
“But what if I sFll find ‘inherent risk’ useful in risk assessments?” 23
Author: Dr Carl A. Gibson 25
References 26
3
The nonsense of ‘inherent risk’
Abstract
There is a strange and controversial concept, ‘inherent risk’, used in some risk assessments to
demonstrate a highly subjecFve level of risk in the absence of controls. The concept of
‘inherent risk’ is not a modern idea. It first arose more than one hundred years ago, and over
Fme has, in some disciplines (such as in audiFng and risk management), taken on a meaning
very different to its original use. Today, some advisory pracFces, so]ware vendors, and risk
pracFFoners conFnue to use this concept of ‘inherent risk’ despite an absence of any real
evidence or validaFon supporFng its use. In recent years, many reputable ‘risk thought
leaders’ and commentators have debunked the ‘inherent risk’ concept as confected nonsense.
This paper explores the history of ‘inherent risk’, how it is misused, and why the use of
‘inherent risk’ assessment may yield more harm than even not undertaking a risk assessment.
Some simple alternates to ‘inherent risk’ are also discussed.
It should be noted that this criFque of the ‘inherent risk’ concept is limited to its applicaFon
within the ‘risk management profession’. There are significant differences in interpretaFon of
the term in other professions (such as medicine, accounFng, law, etc.) where there may be
some validity in its conFnuing use.
Background
The discipline of risk management conFnues to develop more as a cra] than as a scienFfic or
evidence-based approach to understanding uncertainty. In the 1970’s and 1980’s risk
management pracFce, where it was present in organisaFons, was scienFfically and
mathemaFcally based, with foundaFons in safety science, actuarial science, probability
theory, and staFsFcal analysis.
However, today risk management pracFce is replete with confusion, contradicFon, and
confecFon (Hochrainer-SFgler et al, 2023; van Greuning and Bratanovic, 2020; Hubbard, 2020;
Mohanty, 2020; Aven and Ylönem, 2019; Aven, 2019; 2017a, 2016a; Kristamuljana, et al, 2018;
Quan and Chiang, 2017; Walters and Kluwer, 2015; Bromiley et al, 2015). Where we see new
terms invented to ‘sell’ a composite of old ideas (o]en with no scienFfic basis or other
evidence for its use), common everyday terms being ‘captured’ and used for ideas o]en at
odds with their original meaning, the same terms being applied to mean very different things,
as well as different concepts being promoted that conflict with each other. Even something as
4
simple as the risk management Standard’s (ISO 31000:2018) simple five word definiFon of risk
(effect of uncertainty on objecFves) is interpreted in mulFple different ways. In order to apply
the definiFon, addiFonal words have to be added in order to make sense of it, something even
ISO 31000:2018 has to resort to when it applies the definiFon in the body of the Standard.
Even within the world of internaFonal Standards, there is wide disagreement regarding this
ISO 31000:2018 definiFon of risk, with many ‘domains’ rejecFng the definiFon outright.
Despite recent efforts centrally by ISO, involving a wide range of different technical
commiKees, there is sFll no agreement about a consistent definiFon of risk. A situaFon which
has resulted with over 1000 published ISO documents that apply different definiFons of risk
and different risk assessment methodologies (Jason Brown1, personal communicaFon). To this
massive confusion, we as pracFFoners, consultants, academics, and so]ware developers then
add a whole host of addiFonal different (inconsistent) terms to try and describe different
aspects of uncertainty and risk.
Many senior decision-makers conFnue to fail to capitalise upon the value that the effecFve
management of risk can bring to individuals, organisaFons, and society (Alviniussen and
Jankensgård, 2018; Beasley et al, 2019; Qazi et al, 2016). Those few studies that aKempt to
show the value of risk management outside of the financial sector (for example, Rampini et
al, 2019), rely strongly on theoreFcal modelling or evidence of correlaFon (Willumsen et al,
2019; dos Santos et al, 2017; IKner and Keusch, 2016; Schrödl and Turowski, 2014, FM Global,
2012; Kraus and Lehner, 2012), rather than a demonstraFon of causaFon (Alijoyo and
Norimarna, 2021). In those relaFvely few studies that demonstrate significant improved
organisaFonal performance, this may be a reflecFon of other confounding factors2, addiFonal
to any benefits derived directly from risk management.
There is liKle robust evidence about the extent and depth of skills and experFse across the
range of different risk professionals found in contemporary organisaFons. Whilst those in
funds management, insurance, and actuarial professionals have to possess a proven body of
knowledge, this does not apply to the many other risk professionals. Anecdotally, it appears
that many in the ‘risk management profession’ have surprisingly limited knowledge and skills
in risk-related disciplines3, 4 (Tepetepe, et al, 2022; Inghels, 2020; McKinnell, 2020b; Special
Commission, 2020; Joint InvesFgaFon, Snow, 2018; Aven, 2017b; Dekker, 2015; Vaughn, 2016;
Hart and Cooke, 2013), beyond following one of the standardised methodologies such as ISO
1
Jason Brown, an Australian, re5red as Chair of ISO Technical CommiQee 262, the commiQee responsible for ISO
31000 and related Standards.
2
Those organisa5ons that invest in substan5al risk management, are o>en those organisa5ons that appear to
be more likely to have in place mature and effec5ve strategic thinking and foresigh5ng, well established decision
making capabili5es, sophis5cated financial modelling prac5ces, and highly skilled opera5onal resources. Any or
all of which could be contribu5ng directory to the improved financial performance of the organisa5on, above
and beyond any beneficial effects of risk management.
3
Also supported by observa5ons collected by the author during training and coaching of 1000+ risk professionals
over the last decade or so.
4
One only has to look at the con5nuing prolifera5on of unvalidated risk matrices, the aQempts at combing
ordinal scales in mathema5cally insupportable ways, or aQempts at pseudo quan5fica5on by using and
mul5plying arithme5c progressions (e.g., 1,2,3,4,5) to represent exponen5al values (e.g., 1, 10, 100, 1000,
1000000, 1000000000).
5
310005 or COSO6. At the same Fme, many senior decision-makers also appear to have a
limited understanding about how best to use the outputs of risk management (Wardman,
2020 (Wardman, 2020; Andersen and Young, 2020).
Contemporary risk management has become a near religion, in which the main guidance
documents are regarded as holy books (such as ISO 31000 and COSO), dogma is regarded as
inviolable, to quesFon the liturgy is tantamount to heresy, and the largely uneducated
proselyFse freely. Faith in out-of-date rituals outweighs the evidence for the need for change.
The risk management domain has become filled with confected terms and concepts,
promulgated by some consultants trying to rebadge Fred, obtuse, or suspect ideas; by some
Standards writers that push conjecture rather than evidence; by some so]ware providers
encouraging users to adopt unproven approaches. The situaFon has not been helped globally
by the significant variability across available training courses, some of which conFnue to teach
ideas that should have reFred years ago.
There are many misunderstood, misused, and misapplied ideas circulaFng within the risk
profession, perhaps the most common of which are ‘risk appeFte’, ‘risk culture’, ‘risk matrices’,
“real risk”, and ‘inherent risk’. It is ‘inherent risk’ that is under the microscope in this paper.
The point of argument

Today, ‘inherent risk’ conFnues to rear its head in some risk assessment methodologies, where
pracFFoners are encouraged to first conduct an analysis by imagining what consequence and
likelihood values would be in the absence of any controls. Then following this up with a second
phase where the analysis considers the effects of controls on these iniFal values. It appears
that the purpose for looking at ‘inherent risk’ in this way is to provide a quick assessment from
which risks can be prioriFsed for a subsequent more detailed analysis.
This raises a number of quesFons:

• Does such an approach have any scienFfic or evidenFal validity?
• Is the approach methodologically sound?
• Are the outputs from such an approach reproducible?
• Are the outputs from such an approach useful?
• Are there beKer alternaFves?
5
Standards Australia, 2018.
6
COSO, 2017.
6
The origins of the ‘inherent risk’ concept

The origins of the concept of ‘inherent risk’ lay in the distant past, a Fme before the
codificaFon and standardisaFon of risk management, and the formal modern definiFons of
risk. The ‘inherent risk’ term appears to have first emerged in the early 20th century, where it
was used as a synonym for ‘danger’ being present in an object or a specific acFon, such as the
ever-present danger of an explosives fuse in mining operaFons (Hall and Howell, 1912). A
similar connotaFon was also being used earlier in the medical profession, again to mean the
danger present, for example in using certain medical equipment or procedures (HunFngdon,
1904; Ries, 1913). This included the concept that even with greater care these ‘risks’ would
sFll be present, although the medical outcomes could be improved upon (Vail, 1916).
The legal profession also adopted the term to mean the danger or harm that could arise from
an acFvity (Smith, 1914; Sunderland, 1924). Again, this was not ‘risk’ in the modern sense of
the word (as defined and used by contemporary risk professionals), but was more akin to the
concept of a hazard or threat. Similarly, early discussions about occupaFonal health and safety
again used ‘inherent risk’ where today we would talk about ‘hazards’ (McCleary, 1912). For
example, ’inherent risk’ of certain types of forests was used to mean the ‘hazard’ presented
by specific types of trees and bushes to catch fire following lightning strikes (Show and Kotock,
1929).
From its origins, the term ‘inherent risk’ was never intended to convey the idea that the risk
was devoid of controls, was intractable, or was impossible to control. Quite the reverse in fact,
as mulFple writers pointed out, that with addiFonal aKenFon an ‘inherent risk’ could be
purposefully reduced.
The term also starts to appear in the early years of the 20th Century in the finance sector in
relaFon to the ‘inherent risk’ of certain types of investments not yielding stable returns, under
normal economic condiFons (Knox, 1901). With accountancy increasingly adopFng the term
over the next couple of decades or so to refer to the overall ‘risk’ of an organisaFon arising
from its existence and operaFon (Chase, 1920), as opposed to specific risks arising from
individual decisions or acFons. This understanding of ‘inherent risk’ conFnued to evolve over
the following decades, where its use in accounFng audits regarded the concept as errors or
omissions in financial statements that were not the result of a failure of internal controls7
(Tuovila, 2022).
This hazard-related construct of ‘inherent risk’ conFnued to expand over the subsequent
decades of the 20th Century, its adopFon increasing exponenFally during and a]er the Second
World War. Entering new domains such as poliFcal science, criminology, geology, engineering,
jurisprudence, and emergency management, to name but a few (Ekblad, 2021; Huang and
Perez, 2018; Faxon 1960; Osgood, 1959; Hinton, 1953; Reckless, 1940). Each domain having
its own definiFon of ‘inherent risk’, but all sharing the common aKributes of a hazard. The
concept also conFnued to be used increasingly in the medical field following the war
7
Although in this construct ‘internal controls’ are very narrowly defined as accoun5ng controls affec5ng the
financial statements. Whereas risk management professional would usually have a much wider considera5on of
‘organisa5onal controls.
7
(Nathhorst, 1949; Haines, 1950; Rodman, 1954), and has conFnued into recent Fmes. Where,
for example, the status of certain ‘control’ condiFons such as age, body type, sex, and a range
of metabolic factors have been associated with higher or lower levels of ‘inherent risk’ of
certain cancers and neuropsychiatric disorders (Bassukas and Tatsioni, 2019; McCarthy, 2019;
Krishnan, et al, 2016; Goodfellow and Haswell, 2006).
Thus, the concept of ‘inherent risk’, over most of the last century conveyed the idea that
certain acFviFes and specified condiFons always brought with them a danger (Choe and Leite,
2020; van Boom, 2009). Whilst there was no consideraFon of the magnitude of the
consequences arising from these ‘risks,’ or of the probability of likelihood of those
consequences occurring. For example, certain occupaFons were regarded as having a higher
‘inherent risk’, such as an electrician or firefighter, compared with other occupaFons such as
an office worker, because of the relaFve differences in hazardous condiFons in which they
worked. Thus, ‘inherent risk’ for much of the last 120 plus years has been more closely
associated with the concept of ‘hazard’, than with ‘risk’8 as it is understood and defined by
risk management professionals today.
To further confuse maKers, ‘inherent risk’ has also been used as purely as an expression of
the ‘likelihood’ of exposure to danger, or the potenFal rate of the spread of danger (Ronsivalle
et al, 2020). Even now, over a century since the concept of risk and risk assessment started to
become formalised, the concepts of ‘risk’, ‘hazard’, and ‘threat’, conFnue to be misunderstood
and used incorrectly9 in many parts of the risk profession.
Over 40 years ago, risk specialists were steeped in probability theory, scienFfic method,
applied mathemaFcs, and sociology. As each new generaFon of ‘risk professionals’ has
emerged, many have moved further and further away from these foundaFonal skills. So, it is
liKle surprise that these concepts have been combined in ways that were never intended, and
that today o]en make liKle logical sense.
8
For most of the evolu5on of the term ‘risk’, the concept has been understood very differently to how ‘risk
management professionals’ use the term today. Un5l the last decades of the twen5eth century, ‘risk’ for most
people simply meant the poten5al presence of and exposure to danger, a meaning held by both the layman and
‘risk expert’ alike. Indeed, this conceptualisa5on of risk is s5ll one favoured today by many risk professionals
outside of those that use ISO 31000 or COSO.
9
It is not unusual to see these terms used differently, interchangeably, or as synonyms, some5me even by the
same person.
8
The start of ‘inherent risk’ assessment

Some of the earliest menFons of the formal assessment of ‘inherent risk’ occurred in the
1970’s (BeKman, 1972). InteresFngly, these early approaches make no menFon of aKempFng
to assess ‘inherent risk’ by imagining the eliminaFon of exisFng controls and have liKle
resemblance to how ‘inherent risk’ analysis is commonly conducted today.
In the 1980’s ’inherent risk’ assessment became more widely adopted, (Colbert, 1988; Peters
et al, 1989) where ‘inherent risk’ was regarded as a special component of audit risk10 (Dhar et
al, 1987). The auditors’ and accountants’ use of ‘inherent risk’ concerned an account balance’s
suscepFbility to error or omission. This conceptualisaFon of ‘inherent risk’, during this period,
implicitly considered that non-accounFng controls would be in place for the assessment. In
fact, the recommended process for ’inherent risk’ assessment included looking at control
factors such as management judgement in valuaFon, suscepFbility to asset the], historical
errors, financial condiFon, experience of accounFng personnel in the audited organisaFon,
etc. All of which today we would regard as part of the control environment. As assessment of
‘inherent risk’ became more codified, there was sFll no intenFon of looking at risk a]er
controls had been ‘eliminated’. The assessment just did not look explicitly at the effecFveness
of the detailed organisaFonal controls, but simply assumed their presence. This same
conceptualisaFon of ‘inherent risk’ (risk being associated with certain types of acFviFes), by
the audit profession, conFnued into more recent Fmes (ANAO, 2003).
During the late 1980’s and 1990’s the ‘inherent risk’ concept conFnued to evolve. AudiFng
standards started to require ‘inherent risk’ to be looked at, “without regard to the effect of
controls” (for example, PCAOB, 2017). Although it is important to note that this sFll did not
define ‘inherent risk’ as risk in the absence of all controls. It was just without consideraFon of
accoun6ng controls that could directly affect the financial statements (Wong, 1998; Leslie,
1984), but where there could sFll be the influence of all of the other broader organisaFonal
controls. It is also important to remember, that ‘inherent risk’ was also defined in terms of a
result of error or omission in management asserFons about the nature of financial
transacFons. Despite being enshrined within accounFng standards, the concept of ‘inherent
risk’ in accounFng has been consistently criFcised because of the difficulFes in quanFfying the
risk, the potenFal for auditors drawing incorrect conclusions, and a common starFng
assumpFon (and mispercepFon) amongst many auditors that the inherent risk was
automaFcally low11 (Arman, 2022; ICAEW, 2019; Haskins and Dirsmith, 1995).
Even the use of the ‘risk’ construct in auditors’ ‘inherent risk’ was different to how risk is
thought of by risk professionals today. Auditors’ use of ‘inherent risk’ considered the likelihood
of a financial misstatement occurring (Harrast et al, 2020; Florea and Florea, 2012), but did
not assess the consequences of such a misstatement and the likelihood of those consequences
being realised. Again, auditors’ construcFon of ‘inherent risk’ is closer to ‘hazard’ and ‘threat’
than it is to ‘risk’ as defined by ISO 31000 or COSO.
10
The other components of audit risk being ‘control risk’ and ‘detec5on risk’.
11
Which is different to the star5ng assump5on of most risk managers that ‘inherent risk’ will be elevated.
9
The introduction of ‘inherent risk’ into risk management

The world’s first risk management standard, AS/NZS 4360, was published in Australia and New
Zealand in 199512, and carefully avoided making any reference to ‘inherent risk’. The original
Standards’ suggested process involved using a qualitaFve analysis as a quick screening
process13, and then applying a more detailed qualitaFve or quanFtaFve analysis for the more
important previously ‘screened’ risks (Standards Australia, 1995).
Whilst the 4360 Standard was being developed, an audit manager from one of the bigger
internaFonal accounFng firms14 developed a similar two stage organisaFonal risk assessment
process as a commercial consulFng product. In this approach, the first screening step was
conducted without specific detailed reference to controls15. It was assumed that controls were
present, but risk workshop parFcipants were asked to consider risk intuiFvely without
discussing the controls in detail. The second stage then analysed the priority risks, including
looking specifically at the effecFveness of relevant controls. This early methodology did not
make any menFon of ‘inherent risk’, nor was there any intent that the iniFal screening analysis
was to consider risk in the absence of controls.
At some Fme over the next few years, some Big 8 ‘risk management’ consultants (that almost
invariably came out of audiFng pracFces) started to refer to the outputs of the first stage quick
analyses as ‘inherent risk’, with the outputs of the second stage being referred to by a variety
of different terms such as ‘finalised risk’, ‘real risk’, ‘assessed risk’, ‘actual risk’, ‘prioriFsed risk’,
etc. However, it appeared that despite using the term ‘inherent risk’, these early analyses sFll
did not aKempt to deliberately ‘remove’ controls prior to assessing the risk.
However, during the following few years, as risk management emerged as an organisaFonal
discipline, some newer and inexperienced consultants (many of whom were former internal
auditors) emerged. Many of these consultants fundamentally misunderstood the concept of
risk and the risk assessment process16. They started to misapply the ‘inherent risk’ concept
(abstracted from audiFng financial statements) to the iniFal screening risk assessments,
where they mistakenly redefined it to mean risk without controls. Their confusion was evident,
because as well misusing ‘inherent risk’, they also struggled to understand the differences
between ‘risk’, ‘hazard’, and ‘threat’, and in some cases had a very confused applicaFon of
‘likelihood’. It was a misinformed and sloppy use of language and concepts. There was no real
precedent for this use of ‘inherent risk’ and no published evidence that validated its use in
this parFcular way. As these misinformed consultants became more senior in their firms, this
misunderstanding about ‘inherent risk’ became the accepted dogma for a number of these
risk advisory pracFces.
As the ‘inherent risk’ term became popularised through 1990’s and the following decade or
so, the concept was discussed at the joint Australian and New Zealand Standards commiKee
12
A later version of AS/NZS 4360 became the core document in the development of ISO 31000.
13
And to also use qualita5ve analysis as the detailed approach where quan5ta5ve data were not available.
14
Which were the ‘Big 8’ at the 5me.
15
The assump5on was that controls were present, and were func5oning as normal, there was just no aQempt to
iden5fy, characterise, or determine the effec5veness of controls at this early stage.
16
A misunderstanding that s5ll persists today, even in some of the larger advisory firms.
10
responsible for risk management standards (technical commiKee OB007). It was recognised
that this reinterpretaFon of ‘inherent risk’ and its assessment was “nonsense”. By using this
type of assessment, risk analysts were trying to assess a situaFon which did not exist, had
never existed in the past, and would not exist in the future. Concerns were expressed that
using ‘inherent risk’ would at best result in meaningless analyFcal outputs, and at worse could
result in real harm. As the Australian Standards risk management handbook (HB 436) was
being developed during the late 1990’s, there was a small secFon dra]ed explaining the
problems with the ‘inherent risk’ concept. However, a strong case was put forward that by
including such a criFque in the Handbook, it would only highlight the term, and that by
ignoring it, it would soon die out. OB007 decided to omit any reference to ‘inherent risk’. How
wrong we were.
Is the ‘inherent risk’ concept a bad idea?

The concept of ‘inherent risk’ in the context of organisaFonal or enterprise conducted risk
management has frequently been criFcised for the absence of robust data for input into
analysis, the lack of anyone’s experience in a zero control context, and the extreme difficulFes
in imagining and quanFfying a world absent its controls (Slabotsky, 2023; Fraser and Simkins,
2007).
By way of example, let’s consider what is the plausible outcome of trying to assess risk in the
absence of any controls. Think of any risk scenario, remove all of the controls and then think
about how that risk scenario could develop. For example, consider something as simple as a
paper cut to the finger:
• I reach for a sheet of paper from a pile without looking (because my visual control is
eliminated).
• I take hold of the sheet and receive a paper cut (because my controls around how I
handle paper safely and avoid cu<ng myself have been removed).
• Both the paper and my skin are contaminated with bacteria (because controls around
housekeeping and basic hygiene have been removed).
• I become infected, and there are then a whole range of possible outcomes (with
unknown probabiliFes). Although sepFcaemia, with an accompanying high fever and
cogniFve impairment, is very plausible (because my immune system controls have
been eliminated), and I die within a few hours. A preKy catastrophic impact on my
personal objecFves!
• Assuming that before I die, and in my delusional fever I manage to get in and drive my
car. Driving down the street, I cross into a busy intersecFon (because my visual controls
are gone, and other controls such as traffic lights and speed limits have also been
eliminated).
• The oncoming heavy vehicle carrying a vast quanFty of hazardous chemicals hits my
vehicle and overturns (because in the absence of controls, that vehicle has no brakes,
the driver is untrained, the vehicle is not designed to withstand any form of collision,
11
and there of course are now no restric6ons or obliga6ons for transpor6ng hazardous
material in a safe manner).
• Again, because there are no controls, there are a whole range of potenFal scenarios,
although very serious outcomes are eminently plausible for me and for others that are
exposed, which will conFnue to increase (in the absence of any emergency response,
which as a suite of controls has been eliminated).
• In the absence of any controls, the hazardous chemicals spill onto the road, containers
split, and a toxic gas plume covers the central business district, causing major
disrupFons to all government and corporate funcFons. There would also probably be
widespread mass deaths (because controls such as evacua6ons, shelter-in-place, and
containment would also be eliminated).
• If this was not catastrophic enough, as financial trading stops, it causes massed panic
in internaFonal markets (no controls remember), which results in a major global
financial crisis.
Yes, this is absolutely an extreme scenario, fantasFcal and unrealisFc in the real world. That is
because in our real world there will be some controls somewhere. Even just looking at risk is
a control that will have some effect on outcomes. These controls will serve to substanFally
narrow the range of plausible probabiliFes for the various events, limit the plausible
consequences should such events occur, and limit the plausible probabiliFes of those
consequences occurring. If we take any risk and remove all controls, we will generally tend
towards extreme and catastrophic scenarios. How can ‘inherent risk’ then provide us with any
useful informaFon on which to prioriFse risks for more detailed assessment?
Introducing more unnecessary uncertainty

All risk scenarios have some level of modelling uncertainty, and in many risk assessments this
level of uncertainty is already fairly high. By creaFng an even more arFficial and abstracted
risk scenario by assuming the absence of controls, we are only introducing yet more
uncertainty into the model. This ‘inherent’ uncertainty, by its very nature, will be many Fmes
greater than any error present in the original scenario.
Furthermore, even starFng with a simple risk scenario, once one removes all controls from
the scenario, we not only will fail to get any meaningful understanding of the nature of the
primary risk, but we will also create a mulFtude of addiFonal subsidiary risks17. Thus, the very
aKempt of trying to develop a shortlist of risks, instead creates addiFonal uncertainty and an
overwhelming list of new risks that need to be dealt with. For those of you that would respond
to this with: “well when I assess inherent risk, I don’t create any new risks”, my reply would be
that this just proves how shallow the risk analysis approach that you are using really is! In any
aKempt at arFficially removing controls, we are in fact establishing a very different scenario
17
Unsurprisingly, in almost all of the ‘inherent risk’ assessments that I have seen, the analysts have consistently
failed to consider the crea5on of these addi5onal risks.
12
to that which we started with, with a whole ra] of new assumpFons that will probably never
be surfaced or challenged.
Does conducFng an assessment of ‘inherent risk’ really tell us anything about risk? Let’s think
about it from first principles. The way in which an individual, system, or organisaFon iniFally
and subsequently interacts with a source of risk will be a major determinant in what effect
that risk source will have. How such interacFons occur is largely dependent upon the control
environment (which is a much more expansive environment than tradiFonal internal audit
would ever consider). Strip away those very fundamental controls, and we really have liKle
idea about how such interacFons would play out in this highly arFficial situaFon. In this
situaFon, a structured hazard analysis or threat analysis would provide much more insight
than an unrealisFc analysis of ‘inherent risk’.
Ah, but I can hear your counter argument: “when WE use ‘inherent risk’, we only remove the
most influen6al controls from our ini6al risk assessment”, and yes that is a common argument
used by some risk pracFFoners and consultants. However, it is immediately apparently that
‘inherent risk’ here has a very different meaning to that used by the ‘zero controls’ lobby, and
if the influenFal controls are sFll present, is this sFll ‘inherent risk’?
Although, there are valid approaches that do assess the effects of removing controls (see
below), they involve detailed analysis, not just a quick iniFal screening analysis. The ‘screen
by removing some controls’ argument is as problemaFc as the ‘zero controls’ approach:
• Significance of eliminated controls: If there is no detailed analysis of controls being

conducted, how does one know which are the ‘non-influenFal’ controls that can be
excluded prior to the ‘inherent risk’ assessment? In an iniFal screening analysis, we
have at best only a very superficial understanding of the nature of controls and the
effect of removing those controls.
• Significance of remaining controls: Similarly, what about those ‘influenFal’ controls

that were not removed from the iniFal screening analysis, does the analyst innately or
intuiFvely18 have any idea what effect leaving some controls in situ whilst removing
others may have on potenFal consequences and likelihood in the risk scenario?
• Low accuracy: Any iniFal screening analyses that try to esFmate ‘inherent risk’ by
arbitrarily removing some or all controls ‘intuiFvely’ would be expected to have
increased uncertainty, lower accuracy, lower precision, and lower repeatability
compared with almost any other accepted way of analysing risk.
• Emergent proper9es: Most of the Fme, when a screening risk analysis is required, the
context will be one of complexity19. The one clear thing about complex systems is that
they behave very differently than the sum of all of the individual parts would have us
believe. It is well recognised that complex systems show emergent properFes that are
18
Because the jus5fying argument for using a screening assessment is to simplify (e.g., by removing ‘noise’ or
less important risks) the extent and range of risks requiring more resource heavy detailed analysis.
19
A>er all, one of the arguments for using ‘inherent risk’ is to reduce this complexity.
13
difficult to predict from reducFonist analyFcal approaches (ArFme and De Domenico,

2022; San Miguel, 2022; Turnbull, et al, 2018). When such reducFve approaches are
used for complex systems, they will o]en produce meaningless results.
• Addi9onal uncertainty: With increasing complexity comes higher uncertainty. How

can introducing an unknown level of addiFonal uncertainty (because we are using
‘inherent risk’) into an already highly uncertain risk scenario be jusFfied?
• Expecta9ons of symmetry: In trying to assess ‘inherent risk’, there is an overriding

assumpFon of symmetry in the approach. That is, if we remove specific controls from
one risk scenario, there will be a similar proporFonal effect in removing those same
controls from other similar risk scenarios. However, is that the relaFonship between
controls and risk is o]en very asymmetric. Removing what may appear to be a criFcally
important control in one situaFon, could have a smaller effect in one situaFon,
compared to removing it in only a slightly different situaFon where the effect could be
much greater. In other words, we have no realisFc idea about the relaFve effect of
removing selected controls from a single or group of risks, based solely on
assumpFons. Some risks may be affected significantly, whilst others are affected only
marginally. Thus, what appears to be a substanFal ‘inherent risk’, once certain controls
are removed, may prove to be inconsequenFal in a ‘normal’ risk analysis, and vice
versa. The only way of determining such asymmetry is either by observing the actual
effects of the controls on real situaFons, or by modelling the system within the controls
operate. Either of which are not feasible if one is trying to esFmate inherent risk using
a quick screening analysis.
• Perceptual problems: In trying to esFmate ‘inherent risk’, the analysis is subject to

perceptual flaws and cogniFve biases more than in almost any other risk assessment
approach. This is not only an issue because we are trying to create a scenario that is
substanFally more abstracted than usual. It is also problemaFc because we are likely
to have flawed assumpFons about how controls operate individually and collecFvely,
when ‘inherent risk’ is looked at in the absence of a detailed controls analysis.
• Simple linear causality: There is a lot of evidence indicaFng that the human brain tries
to understand the world in terms of simple linear cause-and-effect relaFonships, so
called Cartesian-Newtonian thinking (Gibson and Gibson, 2023). However, the world
is generally not linear in character, and trying to understand it in terms of such
simplisFc linearity will o]en yield inaccurate or misleading results.
Many types of risk assessment are based upon linear thinking and constructs, and
struggle to make sense of increasing complexity. Because of this inability to accurately
model non-Cartesian-Newtonian worlds, most risk analysis will be subject to elevated
uncertainty and inaccuracy as the complexity of the context increases. Introducing the
concept of ‘inherent risk’ increases the reliance on simplisFc cause-and-effect
(Cartesian-Newtonian) thinking20, further invalidaFng the outputs of the risk analysis.
20
Because when we remove controls to get to ‘inherent risk’ we are almost always doing so under the
assump5on of simple linear rela5onships.
14
• Poor probability es9ma9ons: Although the human brain appears to be wired to build
probability distribuFons of observed phenomena (Ma and Jazayeri, 2014; Yuilee and
Kersten, 2006), it is a very poor esFmator of these probabiliFes (Cogency, 2018;
Timmer, 2011; Schermer, 2008). If the brain was any beKer at probabiliFes, there
would be no gambling!
If the average person has difficulFes in assigning realisFc probabiliFes to familiar

situaFons, how much more difficult will this be to the wholly unfamiliar and arFficial
situaFon of a scenario with no controls, where not just probability but also
consequence becomes more illusory. Imagining a scenario even more abstracted from
reality can only compound the potenFal for error and misunderstanding of
probabiliFes in a risk assessment. Unless of course by removing all controls, the
resulFng probability of a catastrophe moves to certainty (p=1.0).
• Extreme subjec9vity: There is ample evidence that shows that even generally
accepted risk assessment approaches, such as ISO 31000 and COSO, are highly
subjecFve21 and hence can have poor reproducibility when the same sets of data are
assessed by different risk analysts (Worden, 2021; Kosovak et al, 2021; QRMC, 2020;
Lerma, 2018; Pickering and Cowley, 2010; Smock, 2002; Redmill, 2002, 2001; Skojong
and Wentworth, 2001). Even the same analyst can produce different results if an
assessment is repeated at different Fmes, affected by changes in emoFonal and
psychological profiles (Frey, 2021; Sobkow et al, 2016; Groth, 2015; Sjöberg, 2007).
No one knows (let alone the analyst concerned) the extent of differences in
subjecFvity that are imposed when switching between ‘inherent risk’ analysis and
other ‘normal’ methodologies. One can only imagine the variability that exists in the
assessment of something as ephemeral as ‘inherent risk’.
• Simula9on of control failure: Other proponents of ‘inherent risk’ defend its use
arguing that ‘inherent risk’ allows the analysis of a situaFon in which controls could
fail in the future. Yes, it is important to have an understanding of the potenFal for
control failure, and such an understanding should be factored into any type of risk
assessment (Abul-Haggag and Barakarat, 2013). However, techniques such as process
modelling and vulnerability analysis are a very different proposiFons than simply
removing all controls as a quick iniFal assessment of risk. Purposefully analysing the
contribuFon of specific controls provides far beKer insight than the make-believe
world of zero controls or arbitrarily selected controls that is popularised by ‘inherent
risk’.
21
This is not just a problem with qualita5ve analysis. Many quan5ta5ve approaches involve surprisingly
significant subjec5vity and uncertainty in assigning values to probability and consequence measures (Smith,
2018; Ferdous et al, 2007; Curley, 2008; Galway, 2007; OIE, 2004; Yang et al, 2005; Paté-Cornell and Dillon, 2001;
Redmill, 2001. Although applying sound quan5ta5ve techniques will almost always reduce the level of
uncertainty and subjec5vity compared with generally accepted qualita5ve techniques.
15
Normalisation of deviance
In the absence of any considered control analysis, looking at ‘inherent risk’ in either a ‘zero
controls’ or ‘influenFal only controls’ screening risk analysis begs the quesFons: how reliant
are we on assumpFons? And how valid or misplaced might those assumpFon actually be.
Well, a quick screening analysis is, by its very nature, substanFally dependent upon a whole
of range of assumpFons about:
• What controls should be present.
• The level of acFvaFon of those controls.
• The maintenance of those controls.
• The effect that each of these controls may have (in the subjecFve scenario being
looked at)/
• The nature and extent of relaFons, interacFons, and interdependencies of these
controls with each other. S
Some of our assumpFons may be based upon historical data about these controls in other
scenarios (real or hypotheFcal) other assumpFons will have liKle supporFng evidence. Even
where there is some evidence (for example detailed design specificaFons and operaFng
procedures), there can be huge difference between how we assume controls are working and
how they actually work in real life.
Our understanding of the nature of controls is o]en very misplaced and divorced from reality
because of the presence of a phenomenon known as ‘normalisaFon of deviance’ (Vaughn,
2016). NormalisaFon of deviance o]en occurs where processes, behaviours, decision-making,
and other controls have a tendency to dri] (accumulaFng small changes) from their original
intent or design over a period of Fme. People make unofficial shortcuts in their processes and
acFviFes, which become adopted as the accepted way of working (work as done), to which
are then added further shortcuts which also become normalised in due course. This can occur
with respect to an individual’s work, or can occur as socially constructed normalisaFon as
these deviaFons become shared and accepted amongst others (Courtois and Gendron, 2017;
Vaughn, 2016). Such normalisaFon can occur almost anywhere in an organisaFon, and is rarely
consciously recognised unFl a major failure occurs and is invesFgated.
The influence of normalisaFon of deviance can invalidate many of the assumpFons that we
make about controls, because the assumpFons that we hold – how we believe controls work
(work as believed) are usually based upon the expressed intent and design of those controls
(work as designed). However, because of normalisaFon how the controls actually work can be
very different from how they were designed and how we believe they work.
The situaFon can be even further complicated because the control informaFon that is
provided by others to risk analysts may be even further divorced from reality (work as
reported). NormalisaFon of deviance has been implicated in many organisaFonal failures and
major disasters, including the explosion of the Challenger space shuKle (Vaughan, 2016).
However, its presence is common in most organisaFons, where it degrades performance and
16
makes processes more briKle in the face of change (Entwistle and Doering, 2023; Sedlar et al,
2022, 2023; Goff et al, 2015; Hase and Phin, 2015; Naweed et al, 2015; Rydenfält et al, 2014).
In any analysis that is reliant upon unvalidated assumpFons (the very aKribute of ‘inherent
risk’ analysis), there will be substanFal addiFonal uncertainty. That is, unless there is a
concerted effort to invesFgate and model control behaviour.
The fantasy of ‘inherent risk’

Many of the proponents of ‘inherent risk’ talk about it in terms that indicate that they believe
such risk exists as a tangible enFty, i.e., that it exists in its own right independent of the
observer and analyst. This runs counter to the basic premise on which the concept of risk is
founded (certainly within the world of ISO 31000 and COSO users), that risk is a cogniFve and
social construct (Maskrey et al, 2022; Zinn, 2004; Renn et al, 1992).
What do we mean by risk being a social construct? There are a number of different concepts
bound up in the term, however the simplest way of thinking about it, is that risk does not exist
per se, but rather that we make up risk in our minds as a way of simplifying a complex and
uncertain world. At the core of many contemporary definiFons of risk, is the existence and
effects of uncertainty. Again, uncertainty does not have a separate existence in and of itself.
Uncertainty is created in the minds of those that perceive the presence or absence of sought
a]er understanding. The social construcFon of risk is based upon what we as individuals or as
part of a group do or do not know (Marris, 2006; Begun and Kaissi, 2005; Babrow and DuKa-
Bergman, 2003; Forss and Samset, 1999).
Whilst there are many different types of uncertainty, generally the extent of uncertainty
depends upon individual and group aKributes. What is uncertain to one person, may be less
or more uncertain to a different person. Although the nature of the ‘knowledge area’ will
contribute to uncertainty (for example the informaFon may be highly variable, not be
available, or may not even exist), along with cogniFve capabiliFes, acquired experiences,
emoFonal influences, memory, etc. Thus, to a large extent uncertainty is personally
constructed. When we communicate and share sensemaking about our individually
constructed risks, we then also socially construct them.
If we accept that risk is a ‘funcFon’ of uncertainty, then risk is personally, culturally, and
socially constructed. So, it is with ‘inherent risk’. The nature of ‘inherent risk’ will vary
depending upon the personal, cultural, and social influences at play. The big difference is that
for ‘inherent risk’, because of its arFficiality, unfamiliarity, and higher uncertainty, esFmates
about ‘inherent risk’ will be more vague, less accurate and less precise than other risk
esFmates that we may make.
Notwithstanding the ‘fantasy’ element of ‘inherent risk’, there is probably a case where risk
may be truly inherent, i.e., where the uncertainty is probabilisFc, the probability is fixed, and
17
the defined outcomes are truly random, such as gambling on the role of dice22. However, as
soon as the gambling becomes more complex, such as playing the stock market or horse
racing, then controls start to be introduced which affect the outcome, and so true inherency
is lost.
Attempts to sustain the ‘inherent risk’ concept

It has been suggested by some consultants that the concept of ‘inherent risk’ may be useful
when applied as a second stage analysis following a ‘normal’ risk assessment, i.e., repeaFng
the risk analysis but this Fme with the controls eliminated. The suggesFon is that such an
approach will provide insight into the importance of those controls.
The validity of such a second phase approach comes down to how ‘inherent risk’ is defined. If
you are considering analysing ‘inherent risk’ by removing all controls, even in a more
substanFve risk assessment, I can save you Fme and money. Removing all controls will result
in ‘inherent risk’ being significantly higher than the original esFmaFon, and will usually tend
to the catastrophic for most risks, including even the more insubstanFal. In other words, if you
remove all controls, the risk will most likely increase by orders of magnitude.
A variaFon on this approach (Hubbard and Seiersen, 2016) describes analysis looking at risk
with the minimum acceptable ’mandatory’ controls present23 to provide the ‘inherent risk’
and that conducFng subsequent analyses to determine the reducFon in uncertainty that can
be achieved by then accounFng for the effect of one or more specific ‘discreFonary’
supplementary controls being included subsequently. Again, a very different meaning of
‘inherent risk’ to the ‘absence of all controls’ definiFon. It can be argued that this way of
thinking about inherent risk has more validity than any of the other approaches. Besides
lending itself to scienFfic validaFon, it is also the closest to the true meaning of ‘inherency’:
“exis6ng in something as a permanent, essen6al, or characteris6c aHribute”.
It can be useful to create simulaFons where the effect of removing or adding individual and
combinaFons of controls can be modelled. Such modelling is undertaken considering
potenFal complexity effects (such as emergent behaviours), and using a structured analyFcal
approach to gain a deeper insight into control behaviours. This may include using a range of
tools and techniques such as bow Fe diagrams, event tree and fault tree analysis, vulnerability
analysis, control criFcality analysis, scenario analysis, backcasFng etc. Even modelling using
techniques such as Bayesian belief network analysis (Kaikkonen et al, 2020; Pereira et al, 2016;
22
Although it could be argued that dice themselves are each a control. The manner in which a die is designed,
manufactured, and maintained will determine the extent of any innate probability bias it possesses, and hence
cannot possess any ‘inherent risk’ because removing all controls will remove all of the dice, and hence remove
the uncertainty.
23
For example, in such an approach, the ‘inherent risk’ associated with driving a motor vehicle at night would
include considera5on of ‘mandatory’ and expected controls (mechanically and structurally sound vehicle with
working brakes, car lights, seat belts, street lights, maintained road surface, road rules, etc.), but would exclude
addi5onal discre5onary controls (such as in vehicle radar proximity detec5on, all-round camera systems, bull
bars, collision avoidance systems, advanced driving tui5on, etc.). The idea being that a detailed analysis could
indicate how much risk reduc5on would be contributed by each of these ‘supplementary’ controls.
18
Dambacher et al, 2007), with the increasing availability of cheap so]ware applicaFons, are
now within the reach of the average risk analyst.
Whilst acknowledging that this form of assessment can be extremely useful, using the term
‘inherent risk’ carries so much baggage and confusion that conFnuing to apply the term will
almost ensure that the technique will be misused. Let’s use the techniques, but find some
alternaFve terminology, instead of ‘inherent risk’.
A poor modelling approach

In any aKempt at risk assessment, the analyst is trying to construct a model, an abstracFon of
the real world24 to simplify reality to a manageable level where some insight or deeper
understanding can be gained. Almost all risk assessments are a gross simplificaFon of reality,
and the outputs of many will be more based on intuiFon and guesswork, than on a repeatable
scienFfic process using validated evidence. However, risk models based upon simple
subjecFve abstracFon can sFll provide useful insights, where that subjecFvity is based upon
experience and sound sensemaking. For most people in most situaFons, trying to determine
‘inherent risk’ will be beyond informed subjecFvity, instead siyng firmly in pure imaginaFon.
Whilst it could be argued that using quanFtaFve, rather than qualitaFve assessment in many
circumstances provides a more accurate portrayal of risk, where ‘inherent risk’ is concerned
valid quanFtaFve data is o]en absent or misused.
For those analysts sFll commiKed to using ‘inherent risk’, please try answering the following
quesFons:
• How accurate and precise are the models that you use for the assessment of ‘normal
risk’25?
• How do you measure this accuracy and precision?
• How have you validated the criteria that you use to esFmate26 or measure risk?
• Have you used a robust and reliable method for surfacing and challenging the
assumpFons that underpin your risk model and the assessment methodology?
• How does your ‘normal risk’ assessment consider27:
o aleatory uncertainty (uncertainty associated with randomness or variability of a
system)?
24
“All models are wrong, some are useful” (Box, 1976).
25
I am using the term ’normal risk’ to indicate risk considered with the effect of controls allowed for, as dis5nct
from ‘inherent risk’.
26
‘Es5mate’ is used for qualita5ve risk outputs as only quan5ta5ve analysis can actually measure any of the
parameters. Just because an analysis is using numbers, rather than subjec5ve scales, does not automa5cally
mean that it is any more accurate than a purely qualita5ve approach. Many so called ‘quan5ta5ve analyses’ are
also based on intui5on and guesswork. However, in general, even subjec5ve quan5ta5ve analysis can provide
more accurate results purely qualita5ve approaches.
27
See Gibson and Gibson, 2023 for a more in depth discussion of uncertainty and risk.
19
o epistemic uncertainty (uncertainty that arises from lack of knowledge, error,

bias, preferenFal judgement etc.)?
o model uncertainty (for example the informaFon that a model leaves out in its
abstracFon)?
o subjecFve uncertainty (that arises from how informaFon is interpreted, for
example the inferences and assumpFons that we make)?
o ontological uncertainty (that arises from the introducFon of new behaviours,
artefacts etc.)?
o linguisFc uncertainty (arises from the nature of the language that is used in the
risk model and during the assessment, for example the language may introduce
vagueness or ambiguity)?
o decision uncertainty (that arises from the establishment, values, and
interpretaFon of objecFves against which a risk assessment is conducted)?
If you have difficulFes in answering these quesFons for the assessment of ‘normal risk’, then
how can you ever expect to get anything meaningful from an even more arFficial, more
uncertain, and less accurate model that is ‘inherent risk’.
Going beyond just consequence and likelihood

It also has to be remembered that a screening analysis of ‘inherent risk’ is always based upon
a simplisFc comparison of the product of an esFmated (guessed) consequence and likelihood
alignment. Such use of consequence and likelihood will usually only provide a simplisFc two
criteria model of a potenFal situaFon (where that potenFal situaFon is usually the result of a
combinaFon of more factors than just consequence and likelihood). It is not difficult, or much
more Fme consuming, to build a more informaFve model of the risk scenario, which could
include:
• ConsideraFon of the sources of risk, how these arise, how they may interact with
things of value or with the achievement of objecFves, including the different pathways
by which they could interact.
• The interconnectedness of different sources that may be contribuFng to the risk.
• The extent to which different controls can both affect these sources, and the pathways
by which these sources and controls interact with things of value.
• The extent to which these controls could be affected by the changing circumstances,
for example, this could be examined through neutralisaFon mapping analysis, (see
Gibson and Gibson, 2023).
• ConsideraFon of the speed with which the described condiFons could arise in the risk
scenario, the speed with which the effects would become discoverable (and allow a
response), and the speed with which harm would be realised or the effects would
become intolerable.
• ConsideraFon of the sensiFvity to or unacceptability of certain types of risk. Different
types of risk can insFl different levels of fear and avoidance imperaFve, for example:
20
there may be more desire to avoid a medium risk associated with radioacFve
contaminaFon, than to avoid a high risk of industrial unrest.
• The ease of resolving the potenFal consequences and the resourcing required.
An indication of deeper problems

I would say that in many cases, the use of an ‘inherent risk’ analysis either as a screening or
invesFgaFon method in an organisaFon is strongly indicaFve of an immature risk management
approach28. Personal observaFons over many years, of many reviews of risk management
approaches (in a whole range of different organisaFons) indicate that ‘inherent risk’ is rarely
an only child. Where one sees ‘inherent risk’ one can also expect many other problems to also
be present, including:
• The blind belief that a ‘Standard’ is best pracFce (rather than a starFng point on a
journey), and that effecFve risk management just involves implemenFng such a
publicaFon or copying another organisaFon’s approach, with liKle or no adjustment
or adaptaFon to the new context.
• Using risk criteria that have not been reviewed or adjusted (o]en remaining
unchanged for many years) despite a dramaFcally changing context, especially where
there has been no discussion with senior decision-makers to validate the criteria.
• Using a risk matrix that has not been tested and validated29, and relying on the matrix
to replace professional judgement30.
• Using a qualitaFve risk matrix with the axes numbered arithmeFcally (e.g., numbered
1 to 5, when the criteria themselves are exponenFal in character), ignoring
mathemaFcal issues with mulFplying ordinal scales, and trying to create a quanFtaFve
analysis by adding or mulFplying the values in the body of the matrix.
• Copying risk criteria and the risk matrix directly from a publicaFon, from another
organisaFon, or a boiler plate template from a consultant.
• ReporFng on risk by just providing risk raFngs, which on their own can have very poor
meaning and low uFlity.
• Believing that simply combining likelihood and consequence is risk assessment.
28
Except where ‘inherent risk’ has been applied represent a more sophis5cated and detailed analysis of control
contribu5ons and value.
29
There are some social media commentators that regard the use of risk matrices as a sign of imbecility. Yes,
there are major problems generally with how risk matrices are constructed and applied. However, being aware
of and addressing those problems can mean that a risk matrix can s5ll be a useful tool in some circumstances.
Although it should never be used as a black box to automa5cally spit out a risk ra5ng, it can be a useful star5ng
point for a conversa5on about risk and to build on a>er with other more sophis5cated analy5cal tools.
30
On numerous occasions I have seen risk profiles where rela5ve risk ra5ngs make no logical sense. On
challenging the analyst, the usual response is: “well that’s the result that the risk matrix gave us”. For a detailed
discussion about some of the problems with using risk matrices see Gibson and Gibson, 2023.
21
Other arguments supporting ‘inherent risk’

Some proponents of ‘inherent risk’ have tried to bolster support for the concept by suggesFng
that the absence of any menFon of ‘inherent risk’ in Standards such as ISO 31000 is because
the risk management experts involved in its development cannot yet reach an agreement on
a single definiFon of the term. Such suggesFons are disingenuous. I cannot think of any
reputable expert, with a deep understanding of risk, that would accept the term’s inclusion in
a risk management Standard, given the current state of the term’s misuse.
Those experts that led the world in developing the first risk management Standard (AS/NZS
4360) and the associated Handbooks, quickly rejected the inclusion of ‘inherent risk’ in the
early 1990’s. Over the next couple of decades, the expert members of the responsible
Australian Standards CommiKee (OB007) quite rightly regarded the ‘inherent risk’ concept (as
it was being used in some consultant driven risk assessment methodologies at the Fme) as
nonsense. There was no discussion about how best to define it, it was simply recognised that
the term31 made no logical sense, would be confusing to pracFFoners, and would add no value
in beKer understanding risk. Since then, this thinking conFnued into the development of ISO
31000, although I have no doubt that some members of the responsible ISO technical
commiKee may sFll not fully understand the problems with the term’s conFnued use by some
risk management professionals.
However, I would agree that some self-declared ‘experts’ cannot agree on a definiFon of
‘inherent risk’. They variously insist that it is “risk a]er all controls have been eliminated”, “risk
where only selected key controls have been eliminated”, “the risk that cannot be reduced”, or
“the risk that can be substanFally reduced by applying key controls”. The reason why there is
no agreement on a definiFon is that the contemporary common use of ‘inherent risk’ is an
arFficial conceit created by misinformed individuals aKempFng to differenFate and sell their
‘product’. Whilst more recent aKempts to redefine ‘inherent risk’ is o]en further confecFon
that will only perpetuate poor pracFce.
Can the ‘inherent risk’ concept ever be useful?

In certain domains, ‘inherent risk’ may be a valid concept and may be useful, especially where
it is recognised that a parFcular occupaFon, acFvity, or situaFon is by its very nature ‘riskier’
than others. A wildland firefighter may very well have a higher ‘inherent risk’ compared with
a primary school teacher. Walking about in some streets in Bankstown Sydney at 2am may
have a higher ‘inherent risk’ than drinking a laKe on Melbourne’s Southbank at 2pm. Here
‘inherent risk’ does not mean risk with no controls, but is a recogniFon that certain hazards
and threats associated with specific acFviFes are present and carry the potenFal for a certain
type of harm or loss to occur. Similarly, there is validity in the underlying concept where
‘inherent risk’ is used to mean risk considered the presence of essenFal controls.
31
Inherent risk: risk with all controls removed.
22
The problem remains, however, with the way that the term ‘inherent risk’ is interpreted by
many of users to mean risk in the absence of all controls, and then using this as the means to
undertake an iniFal risk analysis. However, if you do find the term useful, then it is your
decision to carry on using it, but you should be aware of problems that could result from such
use.
I will be honest, I do find using the concept of 'inherent risk’ for screening purposes can at
Fmes be useful. When I hear consultants, so]ware vendors, and prospecFve job candidates
using the term, it can be indicaFve of a poor understanding of the nature of risk and risk
assessment techniques. Thereby providing me with a solid basis for screening these
individuals out of further consideraFon.
“But what if I still find ‘inherent risk’ useful in risk assessments?”

I would ask the quesFon: if ‘inherent risk’ (in the absence of controls) is the answer, then what
is the problem that you are trying to resolve?
• Problem: “there is limited 6me and resources, and too many risks to assess. I need a quick
screening approach”. Resolu,on: just conduct a quick screening analysis without going
deeply into how the control environment affects each risk (by assuming that a ’usual’ suite
of controls is present). Such an intuiFve assessment is likely to be more accurate than
trying to absolutely guess what a consequence and likelihood would be like once all
controls have been arFficially excluded (a situaFon we will never have experienced in real
life). There are many more pracFFoners out there using ‘normal’ risk assessment
screening successfully than the few that persist with ‘inherent risk’.
• Problem: “I need to show effec6veness of the control environment, comparing ‘inherent
risk’ with the level of risk following control will show that”. Resolu,on: This is a very
common misunderstanding about ‘inherent risk’. Most risk analysts have no idea about
the level of model error and variability that exists in their rouFne risk assessments, and
they will have even less idea about their ‘inherent risk’ assessment. Any assigned ‘inherent
risk’ raFng is likely to have so much uncertainty and error that the deduced value could be
placed almost anywhere on the spectrum of possible risk raFngs should another analyst
repeat the assessment. The first step in addressing the problem should not be to impose
even more arFficiality and uncertainty into the assessment, but rather to determine the
accuracy and precision of the ‘normal risk’ assessment approach. The results may shock
you. Instead of looking at ‘inherent risk’, use tools such as event tree and failure tree
analysis, bow Fe diagrams, vulnerability analysis, Bayesian belief network analysis to get
a beKer understanding of the nature and influence of controls.
• Problem: “I need to understand what are the key controls and what effect they are having”.
Resolu,on: resorFng to an assessment of ‘inherent risk’ will not produce this informaFon.
In most circumstances it will be extremely difficult determining how a single control will
affect the level of risk, let alone the effect of removing all controls. The required
informaFon will simply not be there. Such an approach is also heavily reliant on the
23
assumpFon that the operaFon of specific controls is sufficiently understood, and that a
linear cause-and-effect relaFonship exists. For many controls, the assumpFon of linearity
is invalid. There are a whole range of tools that can help us to beKer understand how
controls work and the range of effects that the controls may have singly and collecFvely.
• Problem: “I need to iden6fy gaps in the control environment and upliK capability”. Looking
at ‘inherent risk’ is perhaps the weakest possible approach that could be taken. The only
insight that this will provide is that if we create an imaginary world (risk without controls)
and use our heavily biased and shallow modelling of that world, then we may perceive a
change in risk levels once we start to take away controls. Remember that the more
abstract a risk model becomes, the less relevance it will have to reality. A highly abstracted
‘inherent risk model’ will tell us liKle about the real world operaFon and effect of controls.
Again, there are a range of tools and techniques that can be used to far beKer effect to
idenFfy upli] opportuniFes.
Conclusion
Over a period of just over a hundred years, a simple construct of ‘inherent risk’ represenFng
the potenFal presence of danger or future harm has been corrupted to represent an arFficial,
unrealisFc, and illogical construct. The concept of ‘inherent risk’, which was originally
intuiFvely useful, has today become a confused mess of ideas that o]en conflict with the core
concepts of uncertainty and risk, and with the principles of risk management.
The commonly used screening methodologies for ‘inherent risk’ in risk management are poor
pracFce, and are misleading risk pracFFoners and the end users of analyFcal products.
Decision-makers are being misled into relying on ‘inherent risk’, a confected construct for
which there is zero scienFfic evidence supporFng or validaFng its use.
Some advisory firms and publicaFons (like COSO) have done the profession a great disservice
by conFnuing to promote the unsound idea32 of ‘inherent risk’, rather than educaFng
pracFFoners and users about more meaningful and robust concepts and approaches. Even
organisaFons that have adopted the ‘inherent risk’ concept outlined by bodies such as COSO,
o]en go on to interpret the definiFon very differently from each other. For example, as well
as those that believe inherent risk to be the ‘absence of all controls’, others use the concept
of inherent risk being the level of risk “assuming exis6ng responses fail”, “assuming exis6ng
responses operate according to design” (CurFss and Carey, 2012), or “inherent risk is the
current risk level given the exis6ng set of controls rather than the hypothe6cal no6on of an
absence of controls” (Slabotsky, 2023).
Yet many risk pracFFoners are not themselves without blame. To label our calling a ‘risk
profession’ may be a misnomer, as there is no required corpus of knowledge that has to be
gained and experFse that has to be demonstrated before calling oneself a ‘risk professional’.
32
Inherent risk: “the risk to an en8ty in the absence of any ac8ons management might take to alter either the
risk's likelihood or impact” (COSO, 2017).
24
The concept of ‘inherent risk’ persists today because of conFnuing high levels of ‘risk illiteracy’
in both ‘risk professionals’ and in senior decision-makers (Hubbard, 2020; Hodge, 2019;
Monat and Doremus, 2018; Aven, 2017; Minksy, 2016; Ball and WaK, 2014; Kaplan and Mikes,
2012;). UnFl the illiteracy issues are resolved, the misuse of ‘inherent risk’ will conFnue.
At the end of the day, we could simply say that if you want to use the term ‘inherent risk’, you
should be free to use it any way that makes sense to you and that you find to be useful.
However, life and the real world are not as simple as that. The confusion about, and the misuse
of the term have real world consequences, well beyond those that promote the use of
‘inherent risk’. In an age of risk-based regulaFon, we are seeing an increasing adopFon of the
‘inherent risk’ concept (as risk in the absence of controls) by regulators (for example: DJPR,
2021). With the adverse effects that the ‘inherent risk’ concept can have on understanding
risk, some organisaFons are being forced to apply substandard risk assessment pracFces that
is directly increasing their operaFng costs, and could unnecessarily expose society to real and
prolonged harm.
Today, there is no accepted definiFon of ‘inherent risk’, just confusion and a range of poor
pracFces. Although there are some risk assessment approaches that use the term ‘inherent
risk’33 and do have some scienFfic validity, the conFnuing confusion and misuse of the concept
is sufficient to warrant abandoning the use of ‘inherent risk’. For those with effecFve
approaches, simply don’t call that baseline level of risk ‘inherent’, for those using it to
determine a screening level of risk with all controls removed, just please stop and look for a
beKer way of doing things.
Author: Dr Carl A. Gibson

Carl has been involved in the development of risk-related Standards since the mid 1990’s,
being a contributor to the development of Australian, USA, Singaporean, and ISO Standards.
He is the author of over 130 publicaFons in the areas of risk, governance, security, resilience,
emergency and business conFnuity management, disaster health, epidemiology and
pathology of infecFous diseases. He has contributed to the development of over 20 standards
publicaFons, including as a lead or co-author of Australian and New Zealand Standards
publicaFons for managing disrupFon-related risk, fraud and corrupFon control, business
conFnuity management, employment screening, and managing security-related risk.
Carl has served in the military and police services, and is currently a volunteer operaFonal
officer in a wildland fire service. He is also an execuFve director in the consulFng firm
ExecuFve Impact, and has previously held senior appointments in government, higher
educaFon, and internaFonal corporate sectors.
33
E.g., risk in the presence of essen5al controls.
25
References
Abul-Haggag O.Y. and Barakart W. (2013). Applica'on of Fuzzy Logic for Risk Assessment Using Risk Matrix. Interna8onal
Journal of Emerging Technology and Advanced Engineering 3(1) pp. 49-54.
Alijoyo F.A. and Norimarna S. (2021). The Role of Enterprise Risk Management (ERM) Using ISO 31000 for the Compe''veness
of a Company That Adopts the Value Chain (VC) Model and Life Cycle Cost (LCC) Approach. 3rd Interna8onal Conference on
Business, Management and Finance, 11 March 2021. Oxford United Kingdom.
Alviniussen A. and Jankensgård H. (2018) The Risk-Return Tradeoff: A Six-Step Guide to Ending the Curse of Risk Appe'te.
Available at SSRN: hZps://ssrn.com/abstract=3174591 or hZp://dx.doi.org/10.2139/ssrn.3174591
Andersen T.J. and Young P.C. (2020). Strategic Risk Leadership: Engaging a World of Risk, Uncertainty, and the Unknown.
Routledge, Abingdon, UK.
ANAO (2003). Property Management. Audit Report No. 19, 2003-04. Australian Na8onal Audit Office, Canberra.
Arman D. (2022). Inherent Risk and SAS No. 145: New Concepts and Requirements. Journal of Accountancy, 13 October 2022.
Ar4me O and De Domenico M. (2022). From the Origin of Life to Pandemics: Emergent Phenomena in Complex Systems.
Philosophical Transac8ons Royal Society A 380 Ar8cle 20200410.
Aven T. (2017). Improving Risk Characterisa'ons in Prac'cal Situa'ons by Highligh'ng Knowledge Aspects, with Applica'ons
to Risk Matrices. Reliability Engineering and System Safety 167 pp. 42-48. Abingdon, UK.
Aven T. (2016). Implica'ons of Black Swans to the Founda'ons and Prac'ce of Risk Assessment and Management.
Reliability Engineering and System Safety 134 pp. 83-91.
Aven T. (2017). The Flaws of ISO 31000 Conceptualisa'on of Risk. Journal of Risk and Reliability 231(5) pp. 467-468.
Aven T. (2019). The Science of Risk Analysis: Founda'on and Prac'ce. Routledge,
Aven T. and Ylönen M. (2019). The Strong Power of Standards in the Safety and Risk Fields: A Threat to Proper
Developments of These Fields? Reliability Engineering and System Safety 189 pp. 279-286.
Babrow A.S. and DuZa-Bergman M.J. (2003.). Construc'ng the Uncertain'es of Bioterror: A Study of U.S. News Repor'ng on
the Anthrax Aâck of Fall, 2001. In: Rethinking Communica8ve Interac8on: New Interdisciplinary Horizons, (Editor: C.B.
Grant). John Benjamins Publishing Company, Amsterdam/Philadelphia.
Ball D. and WaZ J. (2013). Further Thoughts on the U'lity of Risk Matrices. Risk Analysis 33(11) pp. 22068-22078.
Bassukas I.D. and Tatsioni A. (2019). Male Sex is an Inherent Risk Factor for Basal Cell Carcinoma. Journal of Skin Cancer 2019
Ar8cle ID 8304271.
Beasley M.S., Branson B.C., and Hancock B.V. (2019). The State of Risk Oversight 2019: An Overview of Risk Management
Prac'ces. Enterprise Risk Management Ini'a've. AICPA and Poole College of Management: Risk Management Ini8a8ve, 10th
Edi8on. North Carolina State University, NC. Accessed at:
hZps://erm.ncsu.edu/az/erm/i/chan/library/2019_Current_Report_on_State_of_Risk_Oversight.pdf.
Begun J.W. and Kaissi A. (2025). The Social Construc'on of Uncertainty in Healthcare Delivery. In: Uncertainty and Surprise in
Complex Systems (Editors: McDaniel R.R. and Driebe D.J.), Springer, Cham, Switzerland.
Be9man J.R. (1972). Perceived Risk: A Measurement Methodology and Preliminary Findings. SV - Proceedings of the Third
Annual Conference of the Associa8on for Consumer Research, pp. 394-403, (Associa8on for Consumer Research Editor: M.
Venkatesan), Chicago, IL.
Box G.E.P. (1976). Science and Sta's'cs. Journal of the American Sta8s8cal Associa8on 71(356) pp. 791–799.
Bromiley P. McShane M., Nair A., and Rustambekov E. (2014). Enterprise Risk Management: Review, Cri'que, and Research
Direc'ons. Long Range Planning 48 pp. 265-276.
Chase S. (1920). What is Reasonable Profit? Journal of Accountancy 29(6) Ar8cle 2.
Choe S., and Leite F. (2020). Transforming Inherent Safety Risk in the Construc'on Industry. A Safety Risk Genera'on and
Control Model. Safety Science 124 Ar8cle 104594.
Colbert J.L. (1988). Inherent Risk: An Inves'ga'on of Auditors’ Judgements. Accoun8ng, Organiza8ons and Society 13(2) pp.
111-121.
Cogency (2018). Why are Humans Bad at Calcula'ng Risk. Cogency 23 February 2018. Accessed at:
hZps://www.cogencyteam.com/news/2018/02/why-are-humans-bad-at-calcula8ng-risk/.
COSO (2017). Enterprise Risk Management – Integrated Framework. CommiZee of Sponsoring Organisa8ons of the Treadway
Commission.
Courtois C. and Gendron Y. (2017). The "Normaliza'on" of Deviance: A Case Study on the Process Underlying the Adop'on of
Deviant Behavior. Audi8ng: A Journal of Prac8ce and Theory 36(3) pp. 15-43.
Curley S.P. (2008). Subjec've Probability. In Encyclopedia of Quan8ta8ve Risk Analysis and Assessment. John Wiley & Sons,
Hoboken NJ.
Cur4s P. and Carey M. (2012). Risk Assessment in Prac'ce. Thought Leadership in ERM. CommiZee of the Sponsoring
Organiza8ons of the Treadway Commission. Accessed at: hZps://www.coso.org/Shared%20Documents/COSO-ERM-Risk-
Assessment-in-Prac8ce-Thought-Paper-October-2012.pdf.
Dambacher J.M., Shenton W., Hayes K.R., Hart B.T., and Barry S. (2007). Qualita've Modelling and Bayesian Network Analysis
for Risk-based Biosecurity Decision Making in Complex Systems. ACERA Project 06/01, Australian Centre of Excellence for Risk
Analysis, Melbourne University.
Dhar V., Lewis B., and Peters J. (1987). A Knowledge-based Model of Audit Risk. Working Paper Series, November 1987.
Department of Accoun8ng, University of Oregon.
26
DJPR (2021). Prepara'on of Work Plans and Work Plan Varia'ons: Guideline for Extrac've Industry Projects, December 2020.
Department of Jobs, Precincts, and Regions, Government of Victoria.
Accessed at: hZps://earthresources.vic.gov.au/__data/assets/pdf_file/0010/458605/Prepara8on-of-Work-Plans-and-Work-
Plan-Varia8ons-Guideline-for-Extrac8ve-Industry-Projects.pdf.
Dos Santos R.B., Lima F.G., Gatsios R.C., de Almeida R.B. (2017). Risk Management and Value Crea'on: New Evidence for
Brazilian Non-financial Companies. Applied Economics 49 (58) pp. 5815-5827.
Ekblad K.R. (2021). Inconsistent Judicial Interpreta'ons of the Utah Inherent Risk of Skiing Statute and Economic Implica'ons.
Mississippi Sports Law Review 10(10) pp. 227-237.
Entwistle T. and Doering H. (2023). Amoral Management and the Normalisa'on of Deviance: The Case of Stafford Hospital.
Journal of Business Ethics hZps://doi.org/10.1007/s10551-023-05445-6.
Faxon R.D. (1960). Geological Review of Waterflood Prospects. Tulsa Geological Society Digest 28 pp. 33-42.
Ferdous R., Khan F., Sadiq R., AmyoZe P., and Vietch B. (2011). Fault and Event Tree Analyses for Process Systems Risk Analysis:
Uncertainty Handling Formula'ons. Risk Analysis 31(1) pp. 86-107.
Florea R. and Florea R. (2012). The Implica'ons of Inherent Risks’ Assessment in Audit Risk Limita'on. Economy
Transdisciplinarity Cogni8on 15 pp. 45-49.
FM Global (2010) The Risk/Earnings Ra'o: New Perspec'ves for Achieving Boôm-Line Stability. Published with Oxford
Metrica. FM Global, Johnston RI, USA. Accessed at:
hZp://oxfordmetrica.com/public/CMS/Files/1716/02_FMGlobal.pdf.
Forss K. and Samset K. (1999). Square Pegs and Round Holes. Evalua8on 5(4) pp. 407-421.
Fraser J.R.S. and Simkins B.J. (2007). Ten Common Misconcep'ons About Enterprise Risk Management. Journal of Applied
Corporate Finance 19(4). Pp. 75-81.
Frey R. (2021). Psychological Drivers of Individual Differences in Risk Percep'on: A Systema'c Case Study Focusing on 5G.
Psychological Science 32(10) pp. 1592-1604.
Galway L.A. (2007). Subjec've Probability Distribu'on Elicita'on in Cost Risk Analysis: A Review. Rand Corpora8on and US
Air Force.
Gibson C.A. and Gibson K. (2023). A Cri'cal Incident Field Guide: Integra'ng Risk, Business Con'nuity, Emergency, and Crisis
Management, Volume 1: Concepts, and Volume 2: Applica'on. Revised 2nd Edi8ons, Execu8ve Impact Publishing.
Goff R.J., Wilday J., and Holroyd J. (2015). Creeping Changes. Hazards 25, Symposium Series No 160.
Goodfellow G. and Haswell J. (2006). A Comparison of Inherent Risk Levels in ASME B31.8 and UK Gas Pipeline Design Codes.
Proceedings of IPC2006 6th Interna8onal Pipeline Conference.
September 25-29, 2006, Calgary, Alberta, Canada.
Groth C. (2015). Emo'ons in Risk Assessment and Decision-Making Processes During Crak Prac'ce. Journal of Research
Prac8ce 11(2) Ar8cle M5.
Haines S.F. (1940). Some Notes on the Roles of Research in the Development of the Modern Treatment of Exophthalmic Goiter.
The Journal of Clinical Endocrinology & Metabolism 10(9) pp. 989-995.
Hall C. and Howell S.P. (1912). Inves'ga'ons of Fuse and Miners’ Squibs. Government Prin8ng Office, Washington.
Harrast S.A., McGilsky D., and Sun Y. (2020). Determining the Inherent Risks of Cryptocurrency: A Survey Analysis. Current
Issues in Audi8ng 16(2) pp. A10-A17.
Hase S. and Phin S. (2015). The Normalisa'on of Deviance in the Oil and Gas Industry: The Role of Rig Leadership in Success
and Failure. Abu Dhabi Interna8onal Petroleum Exhibi8on and Conference, November 2015, Paper Number: SPE-1777777-
MS. Abu Dhabi, UAE.
Haskins M.E. and Dirsmith M.W. (1998). Control and Inherent Risk Assessments in Client Engagements: An Examina'on of
Their Interdependencies. Journal of Accoun8ng and Public Policy 14(1) pp. 63-83.
Hinton C., (1953). Atomic Energy Developments in Great Britain. Bulle8n of the Atomic Scien8sts 9(10) pp. 366-3368.
Hochrainer-Stigler S., Šakić R.T., Reiter K., Ward P.J., de Ruiter M.C., Duncan M., Torresan S., Ciurean R., Mysiak J., Stuparu
D., and Gottardo S. (2023). Toward a Framework for Systemic Multi-hazard and Multi-risk Assessment and Management.
iScience 26 Article 106736.
Hodge N. (2019). Learning From Corporate Collapse. Risk Management, 1 February 2019. Accessed at:
hZp://www.rmmagazine.com/2019/02/01/learning-from-corporate-collapse/.
Huang R. and Perez M.A. (2018). Accurate, Data-Efficient Learning from Noisy, Choice-Based Labels for Inherent Risk Scoring.
NIPS 2018 Workshop on Challenges and Opportuni8es for AI in Financial Services: The Impact of Fairness, Explainability,
Accuracy, and Privacy (FEAP-AI4Fin 2018).
Hubbard D.W. (2020). The Failure of Risk Management: Why it’s Broken and How to Fix it. John Wiley and Sons, New York,
NY.
Hubbard D.W. and Seiersen R. (2016). How to Measure Anything in Cybersecurity Risk. Wiley, Hoboken NJ.
Hun4ngdon T.W. (1904). Posterior Gastro-enterostomy for Simple Condi'ons of the Stomach. California State Journal of
Medicine I2(12) pp. 372-374.
ICAEW (2019). How to Avoid Common Weaknesses in Audit. Ins8tute of Chartered Accountants in England Wales. Accessed
at: hZps://www.icaew.com/technical/audit-and-assurance/faculty/audit-and-beyond/audit-and-beyond-archive/audit-and-
beyond-2019/audit-and-beyond-july-2019/how-to-avoid-common-weaknesses-in-audit.
Ittner C.D., and Keusch T. (2016). Incorporating Risk Considerations into Planning and Control Systems: The Influence of Risk
Management Value Creation Objectives. In: The Routledge Companion to Accounting and Risk (Editors: Philip Linsley and
Margaret Woods). Routledge, London.
27
Kaikkonen L., Parviainen T., Rahikainen M., Uusitalo L., and Lehikoinen A. (2020). Bayesian Networks in Environmental Risk
Assessment: A Review. Integrated Environmental Assessment and Management 17 (1) pp. 62–78.
Kaplan R.S. and Mikes A. (2012). Managing Risk: A New Framework. Harvard Business Review, June 2012.
Kraus V. and Lehner O.M. (2012). The Nexus of Enterprise Risk Management and Value Crea'on: A Systema'c Literature
Review. In: Proceedings in Finance and Risk Perspec8ves `12 ACRN Cambridge Publishing House.
Kristamuljana A., Van Loon B., Bolt J., and Terblanché A. (2018). Dynamic Risk Assessment. Compact 2018, Smart Tech.
Kosovac A., Davidson B., and Malano H. (2019). Are We Objec've? A Study into the Effec'veness of Risk Measurement in the
Water Industry. Sustainability 11(5): 1279.
Knox V. (1901). The Economic Effect of the Tramsway Act of 1870. The Economic Journal 11(44) pp. 492-510.
Krishnan K., BaglieZo L. Apicella C., Stone J., Southey M.C., English D.R., Giles G.G., and Hopper J.L. (2016). Mammographic
Density and Risk of Breast Cancer by Mode of Detec'on and Tumor Size: A Case-control Study. Breast Cancer research 18(63).
Lermer E., Streicher B., Raue M. (2018). Measuring Subjec've Risk Es'mates. In: Psychological Perspec8ves on Risk and Risk
Analysis (Editors: M. Raue, E. Lermer, and B. Streicher). Springer Cham.
Leslie D.A. (1984). Analysis of the Audit Framework Focusing on Inherent Risk and the Role of Sta's'cal Sampling in
Compliance Tes'ng. Proceedings of the University of Kansas Symposium on Audi8ng Problems pp. 89-125.
Ma M.J. and Jazayeri M. (2014). Neural Coding of Uncertainty and Probability. Annual Review of Neuroscience 37 pp. 205-
220.
McCarthy M.M. (2019). Sex Differences in Neuroimmunity as an Inherent Risk Factor. Neuropsychopharmacology Reviews 44
pp. 38-44.
McClearly J.T. (1920). Big Business and Labor. The Annals of the American Academy of Poli8cal and Social Science 42 pp. 25-
37.
Marris P. (2006). The Social Construc'on of Uncertainty. In: AZachment Across the Lifecycle, (Editors: C.M. Parkes, J.
Stevenson-Hind, P. Harris). Routledge, London, UK.
Maskrey A., Lavell A., and Jain G. (2022). The Social Construc'on of Systemic Risk: Towards an Ac'onable Framework for Risk
Governance. Global Assessment Report on Disaster Risk Reduc8on 2022. United Na8ons Office for Disaster Risk Reduc8on.
Minsky S. The Wells Fargo Scandal is a Failure in Risk Management. Accessed at:
hZps://www.logicmanager.com/erm-sotware/2016/09/20/wells-fargo-scandal-risk-management/.
Monat J.P. and Doremus S. (2018). Deficiencies in and Alterna'ves to Heat Map Risk Matrices for Project Risk Priori'za'on.
The Journal of Modern Project Management 6(1) Ar8cle 11.
June 2012.
Nathhorst H. (1949). The Swedish BCG Expedi'on in Germany. Pediatrics 4(4) pp. 425-429.
Naweed A., Rainbird S., and Dance C. (2015). Are You Fit to Con'nue? Approaching Rail Systems Thinking at the Cusp of Safety
and the Apex of Performance. Safety Science 76 pp. 101-110.
OIE (2004). Handbook on Import Risk Analysis for Animals and Animal Products. Volume 2. Quan'ta've Risk Assessment.
World Organisa8on for Animal Health, Paris, France.
Osgood R.E. (1959). Concepts of General and Limited War. Naval War College Review 12(4) pp. 1-18.
Paté-Cornell E. and Dillon R. (2001). Probabilistic Risk Analysis for the NASA Space Shuttle: A Brief History and Current
Work. Reliability Engineering & System Safety 74(3) pp. 345-352.
Pereira J.C., Fragoso M.D., and Todorov M.G. Risk Assessment Using Bayesian Belief Networks and Analy'c Hierarchy Process
applicable to Jet Engine High Pressure Turbine Assembly. IFAC PapersOnLine 49-12 (2016) pp. 133-138
Peters J.M., Lewis B.L., and Dhar V. (1989). Assessing Inherent Risk During Audit Planning: The Development of a Knowledge
Based Model. Accoun8ng, Organiza8ons and Society 14(4) pp. 359-378.
Pickering and Cowley (2010). Risk Matrices: Implied Accuracy and False Assump'ons. Journal of Health and Safety Research
& Prac8ce 291) pp. 11-18.
Qazi A. and Akhtar P. (2020). Risk Matrix Driven Supply Chain Risk Management: Adap'ng Risk Matrix Based Tools to
Modelling Interdependent Risks and Risk Appe'te. Computers and Industrial Engineering 139 Ar8cle 105351.
Qazi P., Dickson A., Quigley J., and Gaudenzi B. (2018). Supply Chain Risk Network Management: A Bayesian Belief Network
and Expected U'lity Based Approach for Managing Supply Chain Risks. Interna8onal Journal of Produc8on Economics 196
pp. 24-42.
Qazi A., Quigley J., Dickson A., Kirytopoulos K. (2016). Project Complexity and Risk Management (ProCRiM): Towards
Modelling Project Complexity Driven Risk Paths in Construc'on Projects. Interna8onal Journal of Project Management 34(7)
pp. 1183-1198.
QRMC (2020). Balancing Subjec'vity in Assessing Risks. QRMC, 30 October 2020.
Quan N.S. and Chiang A. (2017). Risk Management at the Speed of Business. Directors Bulle8n, 2017 Q1 pp. 24-27. PWC.
Rampini G.H.S., Takia H., and Berssane8 F.T. (2019). Cri'cal Success Factors of Risk Management with the Advent of ISO 31000
2018 - Descrip've and Content Analyzes. 25th Interna8onal Conference on Produc8on Research Manufacturing Innova8on:
Cyber Physical Manufacturing August 9-14, 2019, Chicago, Illinois.
Reckless W.C. (1940). Criminal Behaviour. McGraw Hill Book Company Inc, New York, NY.
Redmill F. (2001). Subjec'vity in Risk Analysis. Report. Accessed at:
hZp://homepages.cs.ncl.ac.uk/felix.redmill/publica8ons/5A.Subjec8vity%20in%20Risk.pdf.
Redmill F. Risk Analysis – A Subjec've Process. Engineering Management 12(2) pp. 91-96.
Renn O., Burns W.J., Kaspersoin J.X., Kasperson R.E., and Slovic P. (1992). The Social Amplifica'on of Risk: Theore'cal
Founda'ons and Empirical Applica'ons. Journal of Social Issues 48(4) pp. 137-160.
28
Ries E. (1913). Theore'cal and Prac'cal Founda'ons of a Radical Opera'on for Carcinoma of the Cervix. Journal of the
American Medical Associa8on 4 October 1913. pp. 1266-1268.
Rodman F.B. (1954). Hazards in the Use of An'bio'cs. Canadian Medical Associa8on Journal 70 pp. 638-641.
Ronsiavale G.B., Fores8 L., Poledda G. (2020). A Prototype Model of Georeferencing the Inherent Risk of Contagion from
Covid-19. Preprint, accessed at:
hZps://www.researchgate.net/publica8on/339997833_A_PROTOTYPE_MODEL_OF_GEOREFERENCING_THE_INHERENT_RI
SK_OF_CONTAGION_FROM_COVID-19?channel=doi&linkId=5e71813e92851c93e0aa3d63&showFulltext=true.
Rydenfält C., Ek A., and Larsson P.A. (2014). Safety Checklist Compliance and a False Sense of Safety: New Direc'ons for
Research. BMJ Quality and Safety 23 pp. 183-186.
San Miguel M. (2022). Fron'ers in Complex Systems. Fron8ers in Complex Systems 1 Ar8cle 1080801.
Schermer M. (2008). Why Our Brains Do Not Grasp Probabili'es. Scien8fic American 1 September 2008. Accessed at:
hZps://www.scien8ficamerican.com/ar8cle/why-our-brains-do-not-intui8vely-grasp-probabili8es/.
Schrödl H. and Turowski K. (2014). Risk Management in Hybrid Value Crea'on. Decision Support Systems 58 pp. 21-30.
Sedlar N., Irwin A., Mar8n D., and Roberts R. (2022). Normalising Deviance within Industry: A Qualita8ve Analysis of Incident
Reports. In: Contemporary Ergonomics and Human Factors 2022. (Editors: D. Golightly and N. Balfe) pp. 267-268. Chartered
Ins8tute of Ergonomics and Human Factors.
Sedlar N., Irwin A., Mar8n D., and Roberts R. (2023). A Qualita've Systema'c Review on the Applica'on of the Normaliza'on
of Deviance Phenomenon within High-risk Industries. Journal of Safety Research 84 pp. 290-305.
Show S.B. and Kotok E.I. (1929). Cover Type and Fire Control in the Na'onal Forests of Northern California. Department
Bulle8n No. 1495, July 1929, United States Department of Agriculture Washington, DC.
Sjöberg L. (2007). Emo'ons and Risk Percep'on. Risk Management 9(4) pp. 223-237.
Skjong R. and Wentworth B.H. (2001). Expert Judgement Risk Percep'on. Proceedings of the Eleventh (2001) Interna8onal
Offshore and Polar Engineering Conference.
Slabotsky R. (2023). Inherent Risk vs Residual risk Explained in 90 Seconds. The Fair Ins8tute, 15 February 2023. Accessed at:
hZps://www.fairins8tute.org/blog/inherent-risk-vs.-residual-risk-explained-in-90-seconds.
Smith A.E. Seong Air Quality Standards for PM2.5: A Role for Subjec've Uncertainty in NAAQS Quan'ta've Risk Assessments?
Risk Analysis 38(11) pp. 2318-2339.
Smith J. (1914). Sequel to the Workmen’s Compensa'on Acts. Harvard Law Review 27(3) pp. 235-259.
Smock R. (2002). Reducing Subjec'vity in Risk Assessments. Global Informa8on Cer8fica8on paper. SANS Ins8tute, June 2002.
Sobkow A., Traczyk J., and Zaleskiewicz T. (2016). The Affec've Bases of Risk Percep'on: Nega've Feelings and Stress Mediate
the Rela'onship between Mental Imagery and Risk Percep'on. Fron8ers in Psychology 7:932.
Standards Australia (1995). AS/NZS 4360: 1995 Risk Management.
Standards Australia (2018). AS ISO 31000: 2018 Risk management – Guidelines.
Sunderland E.R. (1920). Joinder of Ac'ons. Michigan Law Review 18(7) pp. 571-588.
Timmer J. (2011). Risk, Probability and How Brains are Easily Misled. Wired, 8 June 2011. Accessed at:
hZps://www.wired.com/2011/06/brain-risk-probability/.
Tuovila A. (2022). Inherent Risk: Defini'on, Examples, and 3 Types of Audit Risks. Investopedia 28 July 2022.
Turnbull L., Marc-Thorsten HüZ M-T., Ioannides A.A., Kininmonth S., Poeppl R., Tockner K., Bracken L.J., Keesstra1 S., Liu L.,
Masselink R. and Parsons A.J (2018). Connec'vity and Complex Systems: Learning from a Mul'-disciplinary Perspec've.
Applied Network Science 3 Ar8cle 11.
Vail D.T. (1916) A Discussion of Some Newer Principles in Dealing with Uncomplicated Cataract. Transac8ons of the American
from Ophthalmological Society 14(2) pp. 718-732.
Van Boom W.H. (2009). Inherent Risk and Organisa'onal Design in European Tort Law. RoZerdam Ins8tute of Private Law
Accepted Paper Series.
Van Greuning H. and Bratanovic S.B. (2020). Analyzing Banking Risk: A Framework for Assessing Corporate Governance and
Risk Management. Fourth Edi8on. World Bank Group, Washington DC.
Vaughan D. (2016). The Challenger Launch Decision: Risk Technology, Culture, and Deviance at NASA. The University of
Chicago Press, Chicago and London.
Wardman J.K. (2020). Recalibra'ng Pandemic Risk Leadership: Thirteen Crisis Ready Strategies for COVID-19. Journal of Risk
Research 7-8: COVID 19 Special Issue, pp. 1092-1120.
Willumsen P. Oehmen J., S8ngl V., Geraldi J. (2019) Value Crea'on Through Project Risk Management. Interna8onal Journal
of Project Management 37(5) pp. 731-749.
Wolters and Kluwer (2015). What is Risk Velocity and Should You Track It? Expert Insights, Legal, Compliance, ESG, 7 October
2015.
Wong R. (1998). Knowledge Modeling for Inherent Risk Assessment: A Task Structure Approach. AMCIS 1998 Proceedings 79.
American Conference on Informa8on Systems (AMCIS).
Yang Z.-L., Wang J., Bonsall S., Yang J.-B., and Fang Q.-G. (2005). A Subjec've Risk Analysis Approach of Container Supply
Chains. Interna8onal Journal of Automa8on and Compu8ng 1 pp. 85-92.
Yuille A. and Kersten D. (2006). Vision as Bayesian Inference: Analysis by Synthesis? Trends in Cogni8ve Science 10 pp. 301–
308.
Zinn J.O. (2004). Literature Review: Sociology and Risk. Working Paper 2004/1, Social Contexts and Responses to Risk Network
(SCARR).
29
Worden C. (2023). Risk Management: Subjec've Perspec'ves, Risk Assessments, Ethical Dilemmas. Industry Safety and
Hygiene News, 13 May 2021.
30

The Nonsense of Inherent Risk

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Nonsense of Inherent Risk

Uploaded by

Copyright:

Available Formats

The nonsense of inherent risk

An occasional series of papers aimed at challenging

WriQen permission may be sought by contac5ng the publisher at:

The nonsense of ‘inherent risk’

The point of argument

This raises a number of quesFons:

The origins of the ‘inherent risk’ concept

The start of ‘inherent risk’ assessment

The introduction of ‘inherent risk’ into risk management

Is the ‘inherent risk’ concept a bad idea?

Introducing more unnecessary uncertainty

• Signiﬁcance of eliminated controls: If there is no detailed analysis of controls being

• Signiﬁcance of remaining controls: Similarly, what about those ‘inﬂuenFal’ controls

diﬃcult to predict from reducFonist analyFcal approaches (ArFme and De Domenico,

• Addi9onal uncertainty: With increasing complexity comes higher uncertainty. How

• Expecta9ons of symmetry: In trying to assess ‘inherent risk’, there is an overriding

• Perceptual problems: In trying to esFmate ‘inherent risk’, the analysis is subject to

If the average person has diﬃculFes in assigning realisFc probabiliFes to familiar

The fantasy of ‘inherent risk’

Attempts to sustain the ‘inherent risk’ concept

A poor modelling approach

o epistemic uncertainty (uncertainty that arises from lack of knowledge, error,

Going beyond just consequence and likelihood

An indication of deeper problems

Other arguments supporting ‘inherent risk’

Can the ‘inherent risk’ concept ever be useful?

“But what if I still find ‘inherent risk’ useful in risk assessments?”

Author: Dr Carl A. Gibson

You might also like