Inherent risk is the natural level of risk present in an activity, process or situation before anything is done to address it. Inherent risk (IR) is calculated according to this formula:

IR = Impact * Likelihood, where

Impact is the amount needed to bring the situation to the state that existed before the adverse. For example, if a building is flooded and it will take \$2 million to clean everything, replace damaged equipment and carry out renovations, then the impact is \$2 million,

Likelihood is the probability of a harmful event occurring and is expressed as a percentage. For example, if a building gets flooded every 10 years, then the probability is 1/10 or 10%.

If a building is flooded every 10 years, i.e. likelihood = 10%, and it costs \$2 million to completely remove the consequences of a flood, then IR = \$2,000,000 * 10% = \$200,000.

Residual risk (RR) is the level of risk remaining after a measure (control) has been put in place to address the inherent risk. Residual risk is calculated using the following formula:

RR = New_Impact * New_Likelihood + Cost_of_Control.

The owner of the building that gets flooded, decides to build a retaining wall in front of it. The retaining wall is a risk mitigation measure, i.e. a control. If the retaining wall costs \$20,000 to build then the Cost_of_Control is \$20,000.

After the wall is built, the building gets flooded less often, once every 20 years. Consequently, the New_Likelihood now is 1/20 or 5%. The presence of a wall doesn’t significantly reduce the damages, so New_Impact remains the same – \$2 million. In this situation, RR is calculated as:

RR = 2,000,000 * 5% + \$20,000 = \$120,000.

Since RR is less than IR, building the wall is a smart business move.

It must be noted that when the Cost_of_Control is too high, it is better to accept the risk. For example, if the retaining wall costs \$120,000 then RR will be \$220,000. If RR is greater than IR, an organisation will be better off, in general, to accept IR and not treat it.