Risk consequence refers to the impact or outcome resulting from a risk event. Evaluating the severity of the consequences of a risk helps in identifying the risks that could have the largest impact on the business.
In StartRisk users are required to assess the Inherent Consequence for each user generated risk. In the case of a suggested risk, StartRisk’s AI will provide a recommended Inherent Consequence rating for users to review.
StartRisk captures tailored risk consequence assessment criteria for each risk class to support risk consequence being assessed in a consistent way. The criteria will appear when viewing the Inherent Consequence selection section of the Risk Editor.
Inherent Consequence is the potential impact of a risk event occurring without any mitigation or intervention measures in place. It represents the initial, raw level of impact a risk could have.
Residual Consequence is the level of impact that remains after implementing risk controls and mitigation strategies. It reflects the effectiveness of these measures in reducing the severity of the risk's impact. StartRisk will automatically assess this as controls are added against a risk.
Consider a data breach in a financial institution. The inherent consequence of such a breach could be severe, including substantial financial loss, damage to reputation, and legal repercussions, assuming no protective measures are implemented.
Once the Inherent risk assessment was completed, the resulting risk rating was outside of our appetite. To address this controls were implemented including regular security audits, intrusion detection systems, and cyber risk insurance.
These controls reduce the consequence of a data breach which is represented by the Residual rating.
