What is the difference between inherent risk and residual risk?

Inherent risk is defined as the level of risk that exists in the absence of any controls or mitigating measures. This encompasses the natural level of risk present due to the nature of the activities or processes in question, without any adjustments made for risk management interventions.

Residual risk, on the other hand, is the level of risk that remains after all controls or risk management strategies have been implemented. It represents what is left over once an organization has taken steps to reduce the inherent risk through various measures such as policies, procedures, and safeguards.

The correct answer highlights that inherent risk is present before any controls are applied, while residual risk indicates the risk that is left over after those controls have been accounted for. Understanding this distinction is crucial for effective risk management, as it guides organizations in recognizing how much risk they still face after implementing controls and helps them to make informed decisions about further risk mitigation measures.