| Scope and covered activity | Inherent risk applies before controls are applied. It shows the baseline exposure for the asset, process, or scenario as it exists without treatment. | Residual risk applies after controls are applied. It shows the exposure remaining for the same asset or scenario once the treatment plan and control effectiveness are taken into account. | Use Inherent to size the problem before treatment; use Residual Risk to confirm what remains after treatment and whether the remaining exposure is acceptable. |
|---|
| Who must act | Inherent ownership sits with the team that defines the scenario, estimates the baseline likelihood and impact, and decides what treatment is needed. | Residual Risk ownership sits with the control owner or risk owner responsible for the implemented treatment, because that person must show what exposure remains and whether further action is needed. | Do not use one owner for both sides unless the same person truly owns both the untreated scenario and the treated result; otherwise record separate owners and approvals. |
|---|
| Trigger or threshold | Inherent work is triggered when you need the baseline: for example, at planning, scoping, or before selecting controls and treatment options. | Residual Risk work is triggered after treatment decisions or control changes, when you need to confirm what remains, whether acceptance is still valid, or whether more treatment is required. | If the question is 'What should we do?', start with Inherent. If the question is 'What is left after we did it?', start with Residual Risk. |
|---|
| Core obligations | Inherent risk requires you to identify the relevant scenario, estimate its baseline likelihood and impact, and choose a treatment path. | Residual Risk requires you to verify that the selected controls actually reduced exposure, then decide whether the remaining risk is acceptable or needs more treatment. | Treat the two sides as different checkpoints in one workflow: baseline first, remaining exposure second. Do not collapse them into one generic governance task. |
|---|
| Evidence and records | Inherent evidence should show the starting exposure: scenario description, assumptions, threat and vulnerability inputs, and the initial likelihood and impact rationale. | Residual Risk evidence should show the ending exposure: implemented controls, control effectiveness, acceptance decision, exceptions, and review date for the remaining risk. | If the evidence only proves the baseline, it supports Inherent but not Residual Risk. If it only proves control operation, it supports Residual Risk but not the original baseline. |
|---|
| Timing and cadence | Inherent review happens when the scenario changes or when you need a new baseline for planning, selection, or redesign. | Residual Risk review happens after a control or treatment change, after an incident, or at a scheduled acceptance review to confirm the remaining exposure has not drifted. | Use the baseline to decide treatment timing; use the residual review to decide acceptance timing. |
|---|
| Enforcement or assurance route | Inherent is usually checked in risk analysis, planning, design review, or treatment selection because it asks how exposed the organization is before controls. | Residual Risk is usually checked in control assessment, authorization, or acceptance review because it asks whether the controls left the organization with an acceptable level of exposure. | Do not use the same decision test for both sides: baseline analysis answers whether treatment is needed, while residual analysis answers whether the remaining risk can be accepted. |
|---|
| Overlap and reuse | Inherent can supply the baseline inputs for later treatment work, including the scenario, threats, vulnerabilities, likelihood, and impact rationale. | Residual Risk can reuse those baseline inputs, but only after controls, treatment changes, and current evidence are added to show what remains. | Reuse the same facts only when they still describe the same stage of the workflow; otherwise keep the baseline record and the residual record separate. |
|---|
| Practical decision rule | Use Inherent when you need to answer what the risk looks like before treatment and to decide what controls or responses are needed. | Use Residual Risk when you need to answer what remains after treatment and to decide whether the remaining exposure can be accepted or must be reduced further. | If the question is about choosing treatment, start with Inherent. If the question is about accepting the result of treatment, start with Residual Risk. If both appear in one record, label them separately instead of blending them together. |
|---|