Risk
Score every risk twice: inherent vs residual
Most risk registers contain one score per risk. Likelihood times impact, a colour, done. And that single number quietly conflates two very different questions: how dangerous is this thing, and how dangerous is it to us, given everything we already do about it?
Fold those into one score and you lose the most useful information a risk register can produce. Score them separately - inherent first, residual second - and the register starts earning its keep.
Two scores, two questions
Inherent risk is the exposure with no controls in place: if we did nothing - no backup supplier, no inspection, no contract clause, no fire suppression - how likely is this, and how badly would it hurt? It is a deliberately artificial question, and that is the point: it measures the size of the underlying threat, not the quality of your defences.
Residual risk is the exposure that remains with your current controls operating as designed. This is your real, live exposure - the number that should drive management attention, contingency planning and the action list.
Both are scored the same way on a 5x5 grid: likelihood 1-5, impact 1-5, multiplied into a score from 1 to 25 and banded Low / Medium / High / Critical. The mechanics take seconds. The value is in the gap between the two passes.
The gap is the point
Inherent 20, residual 6: a serious threat, well controlled - your controls are earning their keep, so protect them. Inherent 20, residual 18: a serious threat your controls barely touch - this is where the next pound of effort belongs.
Once you can see the gap, three conversations become possible that a single-score register cannot support:
- Control value. The distance between inherent and residual is a direct picture of what your controls achieve. A big gap on a big risk identifies the controls you must never let decay - the ones that deserve auditing, testing and an owner.
- Complacency detection. A register full of comfortable residual greens with no inherent scores behind them is unfalsifiable. Were those risks always small, or are they small because of controls that nobody has verified lately? Without the inherent score, you cannot tell - and neither can an auditor.
- Prioritisation that survives scrutiny. Rank by residual score for action, but review the biggest inherent scores periodically even when residual looks fine. The catastrophic-but-controlled risks are exactly the ones that bite when a control silently fails.
Running the register so it stays honest
Write risks as events, not topics. "Supply chain" is a heading. "Sole-source machining supplier fails, halting production for 6+ weeks" is a risk you can score, own and mitigate. A useful pattern: cause leads to event leads to consequence.
Name the controls before scoring residual. The residual score is only defensible if the controls it credits are written in the register. If you cannot name the control, you have not got one - you have got optimism.
One owner per risk. A risk owned by "Operations" is owned by nobody. Owners review their risks on a cadence set by band - Critical monthly, High quarterly, the rest at least annually - and the review date lives in the register so overdue reviews flag themselves.
Let the further actions drain. Where residual risk still sits above appetite, the register carries further actions with owners and dates. Those actions exist to move the residual score; if an action closes and the score does not move, the action was theatre.
This double-scoring discipline is also exactly what ISO 9001's clause 6.1 (actions to address risks and opportunities) and ISO 31000 have in mind - and it is the difference between a register that manages risk and one that decorates a management review pack. If your register feeds a QMS, the documentation guide shows where it fits.
The risk register that scores twice
Inherent and residual 5x5 scoring with dropdowns, a live heatmap that counts open risks cell by cell, an automatic top-10 exposure table and overdue-review alerts.