Explain the difference between inherent risk and residual risk.

Inherent risk refers to the level of risk present in a situation or process before any mitigative measures or controls are applied. It represents the natural exposure to risk that exists due to the inherent characteristics of the environment, the activities being undertaken, or the factors surrounding a particular process.

On the other hand, residual risk is the remaining level of risk after controls and risk management strategies have been implemented. This encompasses the risks that still exist despite measures taken to reduce or eliminate some exposure. In essence, residual risk is what an organization must manage after their risk mitigation strategies have been applied.

Understanding this distinction is crucial as it helps organizations assess their overall risk landscape more accurately. By recognizing both types of risk, organizations can better strategize and prioritize their risk management efforts, focusing on the residual risks that remain after controls have been established.