Gross risk or residual risk: what is the difference and why is it crucial to know?
We'll guide you!
Risk management is an essential component in guaranteeing safety, quality and compliance within a company. Understanding and controlling the risks to which an organisation is exposed not only helps prevent incidents, but also ensures continuous improvement in performance.
Imagine a company that wants to manage its risks, and asks itself: "Gross risk? Residual risk? What are these things?" OK, calm down, take a breath, and we'll explain it all to you. Because, yes, risk management is serious business, but nobody said it couldn't be explained in a humorous way, did they?
What is Gross Risk?
Basically, the gross risk is the danger as it is, before you have got out your first aid kit and your bandages. In more serious jargon, it corresponds to the initial assessment of the risk, taking into account the probability of occurrence of an undesirable event and the extent of its consequences.
Examples of gross risks
- Safety at work
In a factory, the raw risk could be the possibility of an employee injuring himself by handling a machine without protection.
- Product quality
For a food production company, a gross risk could be the possibility of contamination of products by pathogens.
- Legal compliance
Are you storing your customers' personal data without security? It's a bit like copying your text messages to your entire address book... embarrassing, isn't it?
Importance of gross risk assessment
Assessing raw risk is essential to understanding the level of threat a business faces in its natural state, i.e. without protection or corrective action. It means acknowledging that yes, there is an elephant in the room. And before looking for the emergency exit, you have to admit that there is a problem. This assessment serves as a starting point for determining the actions needed to reduce these risks.
What is Residual Risk?
So here we're talking about residual risk. It's a bit like that little drop of ketchup that remains on your white shirt after you've wiped it all off, or like those 'Hunt and Seek' cartoons in which you've found all the mistakes except the last one*. Yes, you've done everything right, but there's still a little bit left. Residual risk is the risk that remains after you've cleaned everything up and put your super controls in place.
Examples of residual risks
- Safety at work
Even after installing safety barriers, there's always a small chance of an accident. It's like when you say: "Be careful" and it always ends with: "I warned you...": "I warned you...".
- Product quality
After all the quality controls, there is still a tiny chance of contamination. A bit like those grains of sand in your shoes after a day at the beach: they always come back.
- Legal compliance
Your data is encrypted, but there's always that hacker who's a little too curious who can get in. It's like in the movies, when the bad guy always ends up finding the back door.
Importance of monitoring residual risks
Monitoring residual risks is like monitoring that famous drop of ketchup: you don't want to lose sight of it, or it will end up spreading and ruining your day. Monitoring and managing residual risks is crucial to maintaining compliance and protecting the business against undesirable events. It's about ensuring that today's little problem doesn't become tomorrow's big worry by continuing to evaluate the effectiveness of the measures put in place and adapting risk management strategies accordingly.
Key differences between gross and residual risks
Criteria
Gross risk
Residual risk
Definition
Initial risk, before any corrective action
Evaluation
Based on probability and impact before controls
Based on probability and impact after controls
Objective
Identifying the threat in its natural state
Measuring the effectiveness of controls and assessing the residual threat
Management
Determines priorities for implementing controls
Requires continuous monitoring to maintain safety and compliance
Impact on risk management
The distinction between these two types of risk has a direct influence on a company's risk management strategy. Understanding the raw risks enables you to prioritise the measures to be put in place, while assessing the residual risks enables you to judge the effectiveness of these measures and the need to add others. It's like knowing whether you're up against a lion or a kitten: both can bite, but they're not the same thing!
Risk management tools and methods
Risk assessment
To assess your gross and residual risks, you need the right tools: a bit like having a GPS when you're lost in the middle of nowhere. Whether it's qualitative analyses or risk matrices, you've got what it takes. These tools allow you to visualise risk levels and plan corrective actions. And believe me, it's better than walking blind!
Example of a platform tool
Our Siris+ governance solution is an excellent example of how to manage risk effectively. With modules dedicated to regulatory compliance, certifications and process automation, this platform provides an overview of gross and residual risks and makes it easier to manage them.
It's a bit like the ultimate first-aid kit: it helps you see through the raw risks, mitigate them, and keep an eye on what's left (that famous drop of ketchup).
Case studies
Imagine an automotive manufacturer using an integrated management system, which was able to reduce its residual product quality risk by 40 % after implementing automated controls and real-time monitoring processes.
It's a bit like managing to keep your shirt white, even after a meal of spaghetti bolognese. Hats off to you!
In a nutshell...
In short, gross risk and residual risk are like choosing between fighting an elephant or a drop of ketchup. While the gross risk represents the threat in its natural state, the residual risk is the one that persists after control actions. Both can cause you problems, but not in the same way. Understanding these differences is crucial to developing an effective risk management strategy.
By using advanced digital tools, businesses can better assess, monitor and mitigate these risks to ensure long-term compliance and security.
* On the montage, there's a lot of natural light, but the alarm clock shows night-time. Possible in some parts of the world, but not in Switzerland.
Bonus: additional resources
Because risk management is best done with a plan, and a bit of humour to take the edge off.
