Could you please explain little clarity about Inherent Risk and Residual Risk?
There is no such thing as ZERO risk. Regardless of their size, industry, or location, all organisations are exposed to various ML/TF risks. These risks are inherent and unavoidable. While the likelihood and impact of these risks may vary, they are always present, which is why they are often referred to as “Gross Risks” – risks that exist without any controls in place.
To mitigate these risks, organisations implement various controls, leaving behind what is known as residual or net risk.
To summarise:
- Inherent Risk = Gross Risk = Risks without controls
- Residual Risk = Net Risk = Risks after controls
For example, inherent risk is the level of risk present before controls such as policies and procedures, KYC, and sanctions screening are implemented. Residual risk is the remaining risk after these measures are in place.
For a more detailed understanding of the risk-based approach, read this article:
Thank you so much for the crystal-clear clarification.
Adv Ramshad