Understanding inherent risk vs residual risk—and why the gap matters

Most organizations have a process for identifying and scoring risks. What’s challenging is assessing how well a risk has actually been reduced. The problem often boils down to how risk is measured, and inherent and residual risk are two key metrics that can be used to guide decisions.

‍

GRC teams often capture inherent and residual risks for reporting or compliance, but don’t use them actively to inform risk strategy. Many organizations, especially those with audit-driven risk processes, look at these metrics in isolation.

‍

However, one of the best measures to see the effectiveness of your controls is actually the gap between inherent and residual risk. The difference between them can help you track whether your controls meaningfully reduce risk and where you may need to strengthen mitigation efforts.

‍

In this guide, we’ll break down inherent and residual risk and discuss how to interpret the gap (or delta) between them for continuous control monitoring and data-driven risk management.

‍

What is inherent risk?

Inherent risk is the level of risk an organization faces before implementing any mitigation measures, security controls, or safeguards. Think of it as the raw risk exposure across your processes, systems, or projects, commonly representing:

‍

• Data loss
• Service outages
• Human errors
• Insider threats or misuse of access privileges
• Vendor compliance gaps
• Poor data handling

‍

Inherent risk is typically assessed by evaluating a threat’s likelihood and potential impact, then expressing it on a scale, such as 1–5 or low to high, to support risk prioritization and control decisions.

‍

In practice, inherent risk is often misunderstood in the following ways:

‍

• It only outlines hypothetical threats: Although inherent risk is assessed before controls are applied, it showcases real risks to your organization’s systems, data, and operating environment
• It’s a compliance checkbox to tick: Inherent risk is more than a reporting requirement, as it pinpoints where your organization is the most exposed and where controls have the greatest impact
• It’s uncontrollable: You can’t eliminate inherent risk, but you can reduce its likelihood and impact by corresponding controls

‍

Identifying inherent risk is only the starting point. The next step to understanding your risk exposure is evaluating residual risk.

‍

What is residual risk?

Residual risk shows the risk an organization is exposed to after controls and mitigation efforts have been applied. Since you can’t fully eliminate risk, this metric reflects the exposure your organization must carry and actively manage over time.

‍

Residual risk appears in similar forms to inherent risk. For example, despite implementing controls, you can still face:

‍

• Data breach from a cloud service provider
• Operational disruptions from a natural disaster
• Supply chain disruptions even after vendor assessments

‍

To determine residual risk, take the values for inherent risk, then adjust them based on your existing controls, reducing for likelihood, impact, or both. For example, the residual risk for data loss might drop from high to very low if you’ve implemented access controls, regular backups, and real-time monitoring.

‍

Some common misconceptions around residual risk include:

‍

• It’s eliminated by strong controls: Controls can only reduce risk to an extent. Your residual risk can never be zero, but only lowered to an acceptable level for your risk appetite.
• It doesn’t need to be revisited: Residual risks evolve as your organization scales, you introduce new technologies, and compliance expectations change. Without continuous risk and control monitoring, residual risk can increase.
• It’s limited to specific teams: While a risk may originate from a function (like IT or compliance), it can impact the entire organization.

‍

Why the gap between inherent  and residual  risk is important

Inherent and residual risk can be tracked separately, but the real value for GRC teams comes from analyzing the gap between them. The gap shows where your controls and remediation efforts are reducing risk as expected, and where they fall short.

‍

In practice, here’s how you build context progressively during risk management:

‍

‍

A widening gap usually indicates well-aligned controls that are effectively reducing residual risk. The gap getting narrower suggests low impact of mitigation, often rooted in failed or missing controls. Sometimes, it could also mean a decrease in inherent risk (e.g., after a legacy system is decommissioned). A static gap is common in more mature GRC programs with a consistently managed risk posture, but it can also indicate stagnation in controls.

‍

However, assessing the gap can be difficult if the underlying assumptions are unreliable.

‍

“Teams often struggle to use the gap effectively because the underlying risk scores are inconsistent. Some miss the point that inherent risk should be assessed as if none of the controls existed. In a few scenarios, residual risk can be influenced by the desire to avoid additional remediation effort, which only distorts the gap and makes the data unreliable for decision-making.”

‍

Jill Henriques

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

For a data-driven risk management framework, the best practice is to revisit the gap for major shifts in your operations, systems, and environment. Define clear escalation paths to leadership, especially for a shrinking or unexplained gap.

‍

Use a high-rated risk management solution to maintain continuous visibility into the gap, your controls, and overall risk. Vanta offers continuous monitoring and AI-driven scoring, among dozens of other agentic risk management features that can help provide an unbiased, real-time view of your risk posture.

‍

{{cta_withimage4="/cta-blocks"}} | How to manage risk with Vanta

‍

Common challenges of residual and inherent risk

Look out for these challenges when navigating residual and inherent risk:

‍

• Misscoring risks: Risk scores can vary depending on who is evaluating, especially if control effectiveness is subjective and irregularly audited. This often leads to risk scores being lower than they should be, creating a false sense of security and making it easier for gaps to be overlooked.
• Siloed ownership: Risk is often managed by individual teams, so there could be inconsistency in how risks are handled across functions. Without centralized visibility, it’s difficult to understand the full impact of a risk or coordinate mitigation efforts.
• Treating risks as one-off metrics: Inherent and residual risk are often evaluated as point-in-time values instead of living metrics. This can lead to misaligned assessments that could be irrelevant or misleading.

‍

Relying on spreadsheets: Organizations often use spreadsheets to track inherent and residual risk. While you can use formulas to create weighted scores, getting precise data is challenging. Audits may focus on whether the assessments were completed instead of on accuracy or trends in the results, making it tricky to surface areas that need attention.

‍

“The biggest mistake teams make is treating inherent and residual risk as scoring exercises without actually evaluating control effectiveness. The real question to address is: Did we do everything reasonably possible to reduce, manage, or eliminate the risk?”

‍

Jill Henriques

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

How to manage inherent and residual risk—and the delta

To manage your residual and inherent risk effectively, focus on a few key practices: 

‍

• Rely on continuous metrics: Track risk continuously with top GRC solutions like Vanta instead of assessing it at fixed intervals. That way, there’s a lower chance of unaddressed remediation gaps between reviews.
• Define risk treatment actions with owners: Each risk should have a defined treatment plan, such as avoiding, transferring, mitigating, or accepting it. Assign specific owners to each to ensure accountability. 
• Recalculate and track residual risk over time: Recalculate residual risk after each control implementation or improvement drive so you can track and report on the impact right away.
• Document the delta: Actively monitor and document your risk delta to provide leadership with a progressive view of risk exposure and impact of controls. 
• Continuous risk tracking: Continuously tracking risks requires organizations to look at both internal and external sources. Agentic platforms like Vanta offer risk registers for inherent risk scoring, treatment plan recommendations, control mapping, and risk reporting for internal and vendor risks. Organizations should also pull emerging risks identified through attack surface monitoring, threat intelligence, dark web monitoring, and data leakage detection.

‍

Explore Vanta to manage risks with ongoing visibility

Vanta is the #1 agentic trust platform to help organizations identify, track, and manage their risks effectively. It achieves this through built-in risk management workflows, real-time oversight, unified dashboard visibility, and more.

‍

Vanta’s risk management product comes with risk registers that help score risks, define treatment plans, map controls, and add owners—alongside AI-assisted scoring and continuous monitoring. Other notable features include:

‍

• On-demand, customizable risk reports
• Automated workflows and accountability tracking powered by 400+ integrations
• A pre-built risk library with 100+ common risk scenarios and risk-to-control mappings
• Customizable risk dimensions
• Risk snapshots for audit preparation
• Vendor risk management

‍

Schedule a demo to see how Vanta can support your risk management program.

‍

{{cta_simple28="/cta-blocks"}} | Risk management product page