Inherent

Inherent risk is the raw, gross risk an activity carries before any controls are applied — the worst case if nothing were done. Subtract the effect of controls and you get residual risk: inherent − controls = residual. Reporting both side by side makes the value of the security program visible to leadership, showing how much risk the controls actually remove.