In today’s business environment, risk management is crucial. A key element in ensuring its effectiveness is the calculation of residual risk.
Residual risk allows us to assess how effective the controls we have implemented are. With this information, we can prioritize the continuous improvement of our Crime Prevention Model, also known as CPM.
The importance of residual risk has become even more evident with changes in legislation, such as the recent Economic Crimes Act and the update to the Criminal Liability of Legal Entities Act, where companies are exposed to risks they previously did not consider, especially following the aforementioned regulatory changes that broaden the scope of liability for them.
Let us recall that inherent risk is the risk to which a company or organization is exposed simply by carrying out its activities. It is risk per se, without the assessment or intervention of any controls. By calculating residual risk, companies can determine their actual level of exposure to a specific risk once controls are already in place.
In practical terms, we obtain residual risk by assessing inherent risk—that is, risk without any controls. From this value, we subtract or adjust based on the effectiveness of the controls we have implemented.
This calculation, often represented in risk matrices, allows us to focus our efforts and resources on those risks that pose a significant threat to companies.
In this way, this calculation can help us:
- Identify where our current controls are not sufficiently effective.
- Guide our decisions on where to invest in new prevention and detection measures.
- Demonstrate to auditors, inspectors, and even the Public Prosecutor’s Office that we understand our risks and are taking steps to mitigate them.
- Strengthen the continuous improvement of our Crime Prevention Models.
Therefore, residual risk analysis is not merely a technical exercise. It is an essential element for traceability, defense, and the constant improvement of our Crime Prevention Models, especially now that punishable conduct and legal requirements are broader and more diverse.
For all these reasons, we recommend that companies and organizations:
- Update their risk matrices to include residual risk analysis.
- Review the effectiveness of their current controls through internal assessments, audits, and other objective metrics.
- Train those responsible for the Crime Prevention Model and the first lines of defense on how to use and understand residual risk as a key management tool.
By strengthening the calculation of residual risk, organizations not only comply with the new regulation but also build a solid foundation for more effective and transparent management of their Crime Prevention Models.
For more information on these topics, please contact our Compliance Group:
Rodrigo Albagli | Partner | ralbagli@az.cl
Yoab Bitran | Director Compliance Group | ybitran@az.cl
Loreto Osorio | Associate | losorio@az.cl
Sebastián Achondo | Associate | sachondo@az.cl
Felipe Barrera | Associate | fbarrera@az.cl
Be part of our multimedia platform and you can receive the latest legal news, events, podcazt and webinars.
