Inherent risk is the level of risk that exists in a process, system or activity before any mitigating controls, safeguards or countermeasures are applied. It represents the raw, uncontrolled exposure an organisation faces from a given threat and is determined by factors such as the likelihood of the threat occurring and the potential impact if it materialises. Inherent risk is a fundamental concept in risk assessment methodologies used across all major compliance frameworks.
Understanding inherent risk is essential for effective risk management because it provides the baseline against which the effectiveness of controls can be measured. By comparing inherent risk (before controls) with residual risk (after controls), organisations can quantify the risk reduction achieved by their control environment, identify areas where additional controls may be needed and make informed decisions about risk acceptance, transfer or further mitigation in line with their risk appetite.