All terms

Inherent vs. Residual Risk

Inherent risk is exposure before controls; residual risk is what remains after controls are applied — the model regulators expect in a risk assessment.

A formal compliance risk assessment uses a three-part model. Inherent risk is the level of risk a product, customer, or geography presents before any controls — for example, offering cross-border crypto transfers is inherently higher-risk than a domestic-only product.

Controls are the policies, procedures, systems, and people that mitigate that exposure. Control effectiveness is typically rated (for example, Yes / Partial / No / N/A) and supported with evidence.

Residual risk is what remains after applying controls to inherent risk. Examiners expect to see this reasoning documented: a defensible residual rating, the evidence behind each control, and a plan for any gaps. This is what distinguishes a formal Risk Assessment from a quick gap check.

This glossary entry is educational and does not constitute legal advice. Always consult qualified legal counsel for jurisdiction-specific guidance.

Related terms

BSA/AML

The US legal framework requiring financial institutions to detect, prevent, and report money laundering and other financial crime.

Third-Party Risk Management

The lifecycle of identifying, assessing, and monitoring the risks vendors and partners introduce to your institution.

OFAC Sanctions

US Treasury–administered economic sanctions that prohibit dealings with designated persons, entities, and jurisdictions.

Does this obligation apply to you?

PliOS maps your obligations, drafts your policies, and keeps you exam-ready. Start with a free, AI-guided gap assessment — no credit card required.

Run My Free Assessment