How To Calculate Inherent vs. Residual Risk


In SimpleRisk, you may have noticed that each risk has two individually tracked risk scores, Inherent and Residual. When working with risk mitigation in SimpleRisk, we are mitigating the inherent risk to then leave us with a residual risk level. The residual risk represents what risk is left behind after mitigation. In this blog post, we will cover some of the different ways these scores can have an impact on how we treat risk and mitigation in SimpleRisk.

First, we must establish your inherent risk. In SimpleRisk, we provide users with six different scoring methods to choose from, each appropriate for different kinds of risks and situations. If you aren’t familiar with the risk scoring methods available in SimpleRisk, we cover them in our blog post on The OWASP Risk Rating Methodology and SimpleRisk.

A risk’s Inherent Risk Score will automatically be calculated based on the selected scoring methodology and the values selected for it. Every risk in SimpleRisk is reviewed on a regular cadence based on its Inherent Risk Score, with the most severe risks being reviewed more frequently. While the Inherent Risk score doesn’t change frequently, there are many events in a risk’s life cycle that will cause the Inherent Risk to change. For example, if we are tracking the risk of the recent Log4Shell vulnerability, the Inherent Risk started out High, but quickly moved to Very High as proof-of-concept code was developed, and we began seeing active exploits in the wild. The Inherent Risk score of this issue, however, has cooled considerably as vendors have provided patches for this issue. We talked a bit more about this phenomenon in our How to Manage the Evolving Risk of Bluekeep blog post.

Residual risk works a bit differently. A risk’s Residual Risk Score is based on how much of the Inherent Risk is leftover after appropriate controls have been applied to the risk. Controls applied to a risk will change often throughout its lifecycle. Controls may be added or removed from the environment. Controls that require tuning may become more effective over time, whereas controls based on rules created at the time of implementation may become less effective as time goes on. As your controls are changing, your Residual Risk Score will change, as well. Take the example in the following screenshot:

SimpleRisk SS

In the example above, we can see both a Mitigation Percent value in the mitigation details, as well as a Mitigation Percent associated with the attached mitigating control. The Mitigation Percent in the mitigation details section is intended to reflect the sum of any and all controls being used to mitigate this risk. The Mitigation Percent value in the Mitigation Controls section reflects the effectiveness of this single control when applied to a risk. SimpleRisk will only ever apply a single mitigation percentage to obtain the Residual Risk Score. The highest mitigation percentage available is the one the system uses at all times regardless of whether it is given in the details or as part of a mitigating control.

You will also notice that now the residual risk score is a 3.5, meaning 65% of the risk has been mitigated with the example mitigation, and we still absorb a risk of 3.5. In a lot of cases, we won’t be able to 100% mitigate a risk, but we can lower the risk below our organization's risk appetite. A Risk Appetite value may be configured in SimpleRisk under Configure -> Settings toward the bottom of the page.

Both our Inherent and Residual risk scores will change as practices, systems, and controls change over time. This is why we monitor these values over time, and through use of the review cycle, we can ensure that each risk gets proper attention and adjustment as needed. To view that risk scoring history timeline simply click the “Show Risk Score Over Time” tree directly below the risk scores at the top.

SimpleRisk SS

As we come to the close of this blog post, you should have a better understanding of how we make use of inherent risk and residual risk. Armed with this information, we should be able to lower the effort required to accurately track a risk's progress over time as well as understand the current level of mitigation that has been attained.

analysis assessment mitigate mitigation OWASP rating residual risk scoring