Most risk tools hand you a single number and call it a day. A traffic light turns red, a score lands somewhere between 1 and 10, and you are left trying to explain to the board why it is a 7 rather than a 4 — and what, precisely, you are doing about it. The three-tier model inside Aigis GRC is built around the belief that a single number is never the whole story. What you actually need are three distinct scores that form a logical chain: where you start, how much your controls are pulling the weight, and where you land.

What does "inherent risk" actually mean?

Inherent risk is the exposure you would carry if every control failed or simply did not exist. No firewall, no access review, no incident-response procedure — what is the raw liability of the underlying activity?

This framing matters because it anchors the conversation in business reality, not security theatre. A payment processor ingesting card data in a regulated jurisdiction carries a structurally higher inherent risk than a read-only analytics portal. Aigis models inherent risk by combining the asset or obligation in scope, the threat surface it faces, and the regulatory context the organisation has activated. The output is a number on a 0–100 scale (call it an inherent score of, say, 87 for a high-volume data-processing operation in a GDPR-regulated environment) that represents unmitigated exposure.

The key discipline here is to never let controls contaminate inherent scores. A team that has invested heavily in encryption sometimes unconsciously rates inherent risk low because "we have good controls." That is the wrong move. Inherent risk is the floor before controls enter the picture — it changes only when the underlying activity, asset classification, or regulatory scope changes.

How does control effectiveness reduce that number?

The second tier is where your security programme earns its keep. Aigis evaluates each control mapped to a risk along two dimensions: coverage (does this control actually address the threat vector?) and maturity (is it implemented, tested, and reliably operating?). The combination produces an effectiveness reduction — the points the control stack takes off the inherent score.

Consider the same 87-point inherent score from above. If the organisation has deployed encryption at rest and in transit, runs quarterly access reviews, and can evidence both with audit artifacts, the aggregate effectiveness reduction might be −54. That is not an arbitrary discount; it reflects which specific threat vectors each control addresses and how confidently Aigis can verify it is operating.

This is the layer that most legacy GRC platforms collapse into a checkbox. "Control present: yes/no" tells you almost nothing. A control that is theoretically deployed but never tested, has a six-month-old evidence date, or only covers half the asset population is not delivering −54 points of reduction — it may be delivering −10. Aigis surfaces that gap, which is the first step toward closing it.

What is residual risk, and why is it the number you defend?

Residual risk is the exposure that remains after your controls have done their work: inherent minus effectiveness reduction. In the running example, 87 − 54 = residual 33.

Thirty-three is the number you bring to the board. It is the number that appears in your SOC 2 audit package, in your DORA ICT risk register, in the table you hand a DPO when they ask about processing risk. It is defensible because it is derived — there is a traceable calculation behind it rather than a gut-feel rating. If a regulator asks why a risk is scored 33, you can walk them through the inherent exposure, name the controls that produced the reduction, and point to the evidence dates that confirm those controls were operating at assessment time.

Residual risk also has a natural policy anchor: your risk-appetite threshold. If your organisation has declared that any risk above 40 requires a treatment plan, a residual of 33 is within appetite. A residual of 61 triggers a decision: accept with documented rationale, transfer via insurance or contract, or remediate by improving or adding controls. Aigis makes that decision explicit and auditable rather than leaving it to institutional memory.

What happens when effectiveness drops — does residual update automatically?

Yes, and this is one of the more practically useful properties of the three-tier model. Controls are not static. Evidence ages. Vendors are decommissioned. A control that earned a high effectiveness score last quarter may score lower today because its evidence is stale or because a configuration-drift event was flagged.

When Aigis detects a change in effectiveness — through a new assessment, an expiring evidence artifact, or an obligation-state change — residual risk recalculates. You do not need to manually re-score the risk. The score surface at the board or regulator level shifts, and any thresholds you have set generate the appropriate alerts. This keeps the register a live instrument rather than a point-in-time snapshot that decays from the moment it is produced.

Do inherent and residual scores flow up to an organisation-level view?

They do. Aigis aggregates individual risk scores across your activated regulations and obligation domains into a portfolio view. You can slice by regulatory framework, by asset class, or by control owner. The inherent-versus-residual gap at the portfolio level tells you, at a glance, how much total risk reduction your security programme is actually delivering — and where the largest gaps remain.

For organisations operating across multiple jurisdictions, the same underlying risk may be governed by two or three overlapping regulations. Aigis maps each regulation's obligations to the shared risk, so you score once and comply across frameworks, rather than maintaining parallel registers that inevitably drift out of sync.

FAQ

Can I override a calculated score? You can document a manual adjustment with a rationale, and Aigis preserves both the calculated and overridden values. Auditors see the override and the reason, which is cleaner than a system that silently accepts a hand-edited number with no trail.

What if I do not have evidence for a control yet? An unmapped or unevidenced control contributes zero to effectiveness reduction. The residual score reflects reality: a control you cannot prove is operating is not reducing your risk in any auditable sense.

Is the model customisable? The weighting logic is configurable at the organisation level. If your risk-appetite framework uses a different scale or weights certain threat vectors more heavily, Aigis can be calibrated to match your existing methodology — the three-tier structure stays, the parameters flex.

The three-tier model is not a novelty. It reflects how mature risk frameworks — ISO 27005, NIST RMF, and DORA's ICT risk-management expectations — reason about risk. What Aigis does is make it operational: calculated, evidence-linked, and always current.

If you want to see how your current control investments map to inherent exposure across your active regulations, book a mapping session with the Aigis team at agrc.ai. Bring your existing register; leave with a defensible residual score.