What is the difference between 'inherent risk' and 'residual risk'?

Inherent risk refers to the level of risk that exists in the absence of any controls or mitigation measures. It reflects the natural vulnerabilities and threats associated with a particular activity or system. Residual risk, on the other hand, is the risk that remains after these controls have been implemented. Essentially, it is the remaining exposure after the effectiveness of the control measures has been taken into account.

Choosing the correct distinction helps organizations assess their risk posture accurately. Understanding inherent risk allows for a clear picture of the potential vulnerabilities, while examining residual risk helps in evaluating how effective the applied controls are at mitigating that risk. This insight is crucial for risk management practices, ensuring that stakeholders make informed decisions regarding risk acceptance and further control investments.

The other options provide incorrect characterizations of the relationship between inherent risk and residual risk. For instance, suggesting that inherent risk is controllable implies that it can be modified by actions taken, which only applies to the controls that aim to manage it. Similarly, the idea that inherent risk occurs after controls are applied does not align with its definition, as inherent risk stands alone before any control measures are enacted. Lastly, the reference to subjectivity and objectivity does not accurately represent the nature of these risks, as both can be assessed using objective