crisc-d2-risk-assessment-inherent-residual-and-current-risk

Inherent, Residual, and Current Risk

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Inherent, Residual, and Current Risk

The three-point risk assessment model distinguishes three related but distinct measures of an organization's risk exposure at different stages of the control lifecycle. **Inherent risk** is the raw, uncontrolled exposure that exists due to the nature of the business activity, the threat landscape, and the organization's information assets — before any controls, safeguards, or mitigation strategies are applied. **Residual risk** is the risk remaining after management has deliberately designed and implemented controls; it represents the planned or expected post-control state, assuming those controls function as designed. **Current risk** (also called existing risk) is the actual exposure at a specific point in time — reflecting the real state of the control environment today, including control degradation, new threats, staffing gaps, and configuration drift. Together, the three form a progression: Inherent Risk → [Controls Applied] → Residual Risk → [Reality Check] → Current Risk. CRISC professionals use this model to isolate control effectiveness (the inherent-to-residual gap), detect control failure (the residual-to-current gap), and prioritize remediation investments.

Where it stops · what it isn't

—Inherent risk is NOT worst-case or catastrophic risk — it is the realistic baseline exposure absent controls, grounded in current threat likelihood and asset value, not theoretical maximums.
—Residual risk is NOT inherent risk minus a fixed percentage — it is the risk remaining after defined controls are assumed to function correctly; it is a planned post-control state, not a calculated discount.
—Current risk is NOT synonymous with residual risk — current risk accounts for real-world degradation, emerging threats, and control failures that may cause actual exposure to exceed residual expectations.
—This model does NOT replace a full risk assessment methodology; it is a classification layer applied within a broader risk identification and analysis process.
—These terms are CRISC-specific: 'net risk' (common in enterprise risk management) maps to residual risk; 'actual risk' or 'present risk' (used in some frameworks) maps to current risk — terminology alignment is required when working across frameworks.
—Inherent risk assessment does NOT assume a threat-free or control-free future; it applies current threat landscape probabilities to unprotected assets.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

IT Risk Assessment (CRISC Domain 2)

REQUIRES

Risk Scenario DevelopmentRisk Analysis Methodologies (Qualitative and Quantitative)

ENABLES

Risk Treatment and Response OptionsControl Design and Effectiveness AssessmentRisk Appetite and Tolerance Calibration

RELATED TO

Vulnerability AnalysisThreat ModelingBusiness Impact Analysis

CONSTRAINS

Control Investment Prioritization and Budget Decisions

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.