Skip to content
Go to homepageDrova logo

Inherent riskfundamentals

Know your baseline exposure.

Learn what inherent risk is, how to assess it before controls, and how it informs appetite, residual risk, and reporting.

Illustration of collaborative compliance planning

What this guide covers:

  1. 01
    What is inherent risk?
  2. 02
    Why inherent risk matters
  3. 03
    How to assess inherent risk
  4. 04
    Monitor baseline exposure
  5. 05
    Inherent risk FAQs

What is inherent risk?

Inherent risk is the level of exposure that exists before any controls or mitigations are applied.

Start
Baseline

Always begin assessments with inherent risk.

Score
Rating

Use likelihood and impact scales to keep results consistent.

VS
Compare

Set up inherent vs residual comparisons for every risk.

WHY IT MATTERS

Why inherent risk informs better planning

Shows natural exposure. Leadership sees the true scale of a risk before controls mask it.

Justifies controls. High inherent scores support investment in people, process, or technology safeguards.

Supports appetite. Appetite statements rely on understanding inherent vs residual levels.

ASSESSMENT

How to assess inherent risk

  1. Use consistent scales Define likelihood and impact descriptors everyone understands.
  2. Consider drivers Look at volume, complexity, change velocity, and regulatory scrutiny.
  3. Document rationale Record why you picked a score so future reviewers can trace thinking.

CADENCE

How to monitor inherent risk

  1. Review annually Refresh inherent ratings during planning cycles or when business models change.
  2. Watch trend triggers If volume or complexity grows, re-evaluate inherent scores sooner.
  3. Compare to residual Highlight large gaps to show control value, or small gaps to justify design reviews.
  4. Share with boards Use inherent heatmaps to explain why certain initiatives need investment.

Inherent risk quick wins

Create scoring guides

Document criteria for each likelihood and impact level.

Train owners

Help risk owners understand the difference between inherent and residual.

Align with auditors

Agree on approaches with assurance partners to avoid rework.

INHERENT RISK GLOSSARY SNAPSHOT

Inherent risk glossary snapshot

Inherent risk. Exposure before controls are applied.

Residual risk. Exposure left after controls.

Risk driver. Factors that influence inherent likelihood or impact.

FAQS

Inherent risk FAQs

How is inherent risk different from residual risk?

Inherent is before controls; residual is after controls. Both are needed for good governance.

Who should rate inherent risk?

Risk owners with subject-matter expertise, supported by risk teams for consistency.

How granular should scoring be?

Use 4–5 point scales for clarity; too much granularity slows teams down.

Do small organisations need inherent risk?

Yes. Even a lightweight view helps prioritise controls and investments.

Drova RunSafe stores inherent and residual ratings, controls, and approvals in one place.

Ready to capture inherent risk systematically?

Learn more about Drova RunSafe

GRC 101 HUB

Explore related topics

Residual risk guide

See how inherent ratings translate to residual.

Risk controls toolkit

Design controls that reduce inherent risk.

Risk register template

Store inherent vs residual fields together.

Risk appetite overview

Link inherent insights to appetite decisions.

Risk management basics

Place inherent risk at the start of the lifecycle.

Strategic risk overview

Use inherent assessments to shape long-term bets.