Inherent Risk vs Residual Risk

Inherent risk — sometimes called gross risk — is the level of risk exposure in the absence of any mitigation controls. It is the 'raw' risk before the project has done anything about it. Residual risk — sometimes called net risk — is the exposure that remains after mitigation actions have been implemented. The relationship between the two is what the mitigation programme achieves: the inherent risk is the starting position, the residual risk is the ending position, and the gap between them is the value delivered by the mitigation effort.

Recording both inherent and residual risk in the register serves several purposes. It demonstrates that mitigations are adding value — if inherent and residual scores are the same for most risks, either the mitigations are not working or they have not been implemented. It supports the business case for investing in mitigation: if a particular risk can be reduced from 'high' inherent to 'low' residual by spending £50k on ground investigation, that is a quantifiable return. And it provides an honest picture of exposure: the project carries residual risk, not inherent risk, and contingency should be sized against residual not inherent exposure.

The language of inherent versus residual risk can cause confusion in risk workshops, where participants sometimes interpret 'inherent' as 'theoretical maximum' and 'residual' as 'what we actually expect.' Neither interpretation is quite right. Inherent risk is the real exposure before mitigations — not a worst-case theoretical extreme. Residual risk is the real exposure after mitigations currently in place — not the hoped-for position after future planned mitigations. Facilitators should spend a few minutes at the start of any risk workshop calibrating these definitions with the group, because misunderstood definitions produce risk scores that cannot be compared or aggregated meaningfully.