Skip to main content

3.9 Types of Risk

3.9 Types of Risk


Inherent Risk


  • The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls). It is Susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls.


  • Inherent risk depends on the number of users and business areas. Higher the number of users and business processes, higher will be the level of inherent risk.


Residual Risk


  • The risk that remains after controls are taken into account (the net risk or risk after controls).


  • Residual Risk = Inherent Risk – Controls


  • For example, a machine costing USD 10000 has inherent risk of USD 10000. Organization took insurance coverage of USD 8000 to safeguard against any damage. So residual risk now is only USD 2000. If an organization's risk appetite is above $2000, then risk is said to be acceptable. If risk appetite is less than USD 2000, then further insurance to be taken to reduce the residual risk. In short, for a successful risk management program, residual risk should be within the risk appetite. When residual risk is within the risk appetite, it is acceptable risk level.


  • Primary objective of a risk management program is to ensure that residual risk is within the acceptable level by the management. It determines the compliance with risk appetite of the company. Achievement of acceptable risk indicates that residual risk is minimized and within control.


Detection Risk


Risk that the auditors fail to detect a material misstatement in the financial statements.


Control Risk


Risk that a misstatement could occur but may not be detected and corrected or prevented by the entity's internal control mechanism.


Key aspects from CRISC exam perspective



CRISC Question


Possible Answer

Which risk indicates susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls?

Inherent Risk

Which risk indicates that the controls put in place will not prevent, correct, or detect errors on a timely basis?

Control Risk

What is  the primary objective of a risk management program?

To ensure that residual risk is within the acceptable level by the management


Which risk increases due to multiple business areas?

Inherent Risk

Achievement of acceptable risk indicates that

Residual risk is minimized and within control.




Flashcards - 3.9 Types of Risk


Practice Questions - 3.9 Types of Risk

Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more