Residual Risk Isn't a Test to Pass

If you look at a firm's risk assessment and find row after row of residual risk rated Low, you might not be looking at the record of a well-run business, counterintuitive as that sounds.

That tidy list of Low ratings is usually evidence that firms are trying their best to get the answer right, while fundamentally misunderstanding the question. Firms tend to treat risk assessment like a test to be passed, and a profile of Low ratings feels like the answer that gets full marks, proof that the business has everything under control.

Yes, the regulator wants things buttoned up, but it isn't grading on tidiness. It expects firms to understand their risk and actively manage it, at whatever level that risk sits.

Firms are entitled to carry residual risk, sometimes a meaningful amount of it. What the regulator wants to see is the risk sitting firmly between two things: a realistic, well-reasoned risk appetite above it, and the well flexed musculature of a robust set of controls underneath it.

I'm not suggesting that a uniform low risk result couldn't happen, there are firms out there with a genuinely low-risk client base and well-built controls, I just think there's a chance they might also have hoofs and a horn on their forehead.

Firms that dig in and are honest about their internal and external environment tend to have the risk texture to show for it. Some risks are assessed and rated Low with a clear explanation of why. Others sit at Medium, or higher, because the control managing them is only effective to a point, but the firm has made a considered, commercial decision that the remaining exposure is one it can live with.

The difference between our horned friends and a firm with real texture in its risk profile is honest-to-goodness working governance. Ask the second firm how it knows its controls work, and it has an answer, a testing record, a sample review, a monitoring report and a board that's seen the numbers and asked questions about them. It has a clear sense of where commerciality and risk management meet.

If we can agree that we don't have an infestation of unicorns, wondrous though that might be, what we actually have is a misunderstanding of risk and expectation.

Let's say this loudly for the nervous folks in the back: the regulator isn't expecting Low risk across the board. Nobody is marking a firm down for a Medium or High residual rating, provided that rating sits within a considered, documented risk appetite and is backed by controls doing real work. A rating above Low isn't a de facto red flag.

We need to get comfortable handling residual risk with a mixture of understanding, articulating and monitoring. They aren't discrete activities. Understanding is knowing precisely what's still exposed once a control is in play. Articulating is writing that down clearly enough that any reader, a colleague, a board, a regulator, can see exactly what the control does and doesn't do. Monitoring is checking, on an ongoing basis, that the control is still doing what the articulation says it does, and catching it early when the environment, internal or external, shifts.

Firms that struggle with residual risk usually aren't failing at all three. They're failing at the first one, and the other two collapse as a result. You can't write an honest account of a risk you haven't actually interrogated or build a control that answers a threat you haven't named specifically enough to design against. Uniform Low ratings are usually a symptom of that first gap.

Risk management is about knowledge, not perfection.

Don't try and be the unicorn.

Be a sceptical realist: know your environment, be honest about your appetite and capacity for control, then document it so you can monitor and adapt.