Skip to main content

3.9 Types of Risk

3.9 Types of Risk


Inherent Risk


  • The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls). It is Susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls.


  • Inherent risk depends on the number of users and business areas. Higher the number of users and business processes, higher will be the level of inherent risk.


Residual Risk


  • The risk that remains after controls are taken into account (the net risk or risk after controls).


  • Residual Risk = Inherent Risk – Controls


  • For example, a machine costing USD 10000 has inherent risk of USD 10000. Organization took insurance coverage of USD 8000 to safeguard against any damage. So residual risk now is only USD 2000. If an organization's risk appetite is above $2000, then risk is said to be acceptable. If risk appetite is less than USD 2000, then further insurance to be taken to reduce the residual risk. In short, for a successful risk management program, residual risk should be within the risk appetite. When residual risk is within the risk appetite, it is acceptable risk level.


  • Primary objective of a risk management program is to ensure that residual risk is within the acceptable level by the management. It determines the compliance with risk appetite of the company. Achievement of acceptable risk indicates that residual risk is minimized and within control.


Detection Risk


Risk that the auditors fail to detect a material misstatement in the financial statements.


Control Risk


Risk that a misstatement could occur but may not be detected and corrected or prevented by the entity's internal control mechanism.


Key aspects from CRISC exam perspective



CRISC Question


Possible Answer

Which risk indicates susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls?

Inherent Risk

Which risk indicates that the controls put in place will not prevent, correct, or detect errors on a timely basis?

Control Risk

What is  the primary objective of a risk management program?

To ensure that residual risk is within the acceptable level by the management


Which risk increases due to multiple business areas?

Inherent Risk

Achievement of acceptable risk indicates that

Residual risk is minimized and within control.




Flashcards - 3.9 Types of Risk


Practice Questions - 3.9 Types of Risk

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more