What is the main distinction between inherent risk and residual risk in Open FAIR?

The main distinction between inherent risk and residual risk lies in their definitions and timing in relation to risk management controls. Inherent risk is the level of risk that exists in the absence of any controls or mitigating measures. It represents the natural exposure to loss and vulnerabilities that an organization faces due to its operations, environment, and activities.

On the other hand, residual risk is the level of risk that remains after controls have been implemented. These controls can include policies, procedures, and technologies put in place to mitigate the inherent risks. Residual risk essentially reflects the effectiveness of the controls in reducing the potential impact or likelihood of a risk event.

This means that the correct choice clearly identifies the relationship between the two types of risks: inherent risk is assessed prior to any risk mitigation actions, while residual risk accounts for the impact of those actions. Understanding this distinction is crucial in risk management frameworks like Open FAIR, as it guides organizations in evaluating their risk landscape and the effectiveness of their efforts to mitigate those risks.