๐ What is Inherent Risk?
Inherent Risk is the potential for loss or harm before the application of any mitigating controls. It represents the natural vulnerability of an asset or process, determined by factors like asset value, threat landscape, and existing vulnerabilities. It serves as the baseline for risk assessment.
"Inherent risk is a foundational concept for justifying security investments. The exam will test your ability to identify and categorize inherent risks. Understand how it differs from residual risk and how it informs the selection of appropriate controls. Do not confuse it with likelihood or impact alone."
๐ Certification: Certified Information Security Manager (CISM)
๐ What are the Key Concepts of Inherent Risk?
- โธ Inherent risk is determined *before* any controls are implemented, focusing on the raw vulnerability of an asset or process.
- โธ Factors influencing inherent risk include asset value, potential threats, and the existence of known vulnerabilities within the system.
- โธ Itโs a crucial starting point for risk assessment, providing a baseline against which the effectiveness of controls can be measured.
- โธ Understanding inherent risk helps prioritize security investments by focusing on the areas with the greatest potential for loss.
- โธ Inherent risk is not simply likelihood or impact; itโs the combination of both, representing the overall potential for harm.
๐ฏ How does Inherent Risk appear on the CISM Exam?
You may be asked to identify the inherent risk associated with a newly implemented cloud service, considering data sensitivity and potential external threats.
A scenario might describe a business process with no security controls in place โ expect questions about assessing the inherent risk level before control implementation.
Expect questions about how inherent risk impacts the selection of appropriate security controls, and how to justify those controls to management.
โ Frequently Asked Questions
How does inherent risk relate to residual risk?
Inherent risk is the risk *before* controls, while residual risk is the risk *after* controls are applied. The difference between them demonstrates control effectiveness.
Can inherent risk be completely eliminated?
No, inherent risk represents the natural vulnerability. It can be reduced through controls, but a portion will always remain as residual risk. Focus on mitigating, not eliminating.
Whatโs the difference between risk appetite and inherent risk?
Risk appetite is the level of risk an organization is willing to accept. Inherent risk is the actual level of risk *before* controls, which may or may not align with the appetite.