Residual Risk
What is Residual Risk?
Residual RiskThe risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
Residual risk is what is left of the inherent risk once existing or planned controls reduce likelihood or impact. It is the figure that matters most for decision-making because controls are never perfect and threats evolve. Organizations compare residual risk to their risk appetite and tolerance: anything above must be treated further, escalated, or formally accepted with documented justification and an owner. Residual risk is recorded in the risk register and reviewed periodically, especially when controls fail, threats change, or new dependencies emerge. Boards and regulators increasingly demand explicit residual risk reporting to demonstrate informed decisions.
● Examples
- 01
Residual risk of phishing breach after deploying MFA, training, and email filtering.
- 02
Documented acceptance of residual risk for a legacy system pending decommissioning.
● Frequently asked questions
What is Residual Risk?
The risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Residual Risk mean?
The risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
How does Residual Risk work?
Residual risk is what is left of the inherent risk once existing or planned controls reduce likelihood or impact. It is the figure that matters most for decision-making because controls are never perfect and threats evolve. Organizations compare residual risk to their risk appetite and tolerance: anything above must be treated further, escalated, or formally accepted with documented justification and an owner. Residual risk is recorded in the risk register and reviewed periodically, especially when controls fail, threats change, or new dependencies emerge. Boards and regulators increasingly demand explicit residual risk reporting to demonstrate informed decisions.
How do you defend against Residual Risk?
Defences for Residual Risk typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Residual Risk?
Common alternative names include: Net risk, Post-control risk.
● Related terms
- compliance№ 534
Inherent Risk
The level of risk that exists in an activity or asset before any controls or mitigations are applied, reflecting raw exposure to threats.
- compliance№ 939
Risk Treatment
The decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 934
Risk Appetite
The aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership.
- compliance№ 937
Risk Register
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
- compliance№ 733
NIST Risk Management Framework
A seven-step NIST process, defined in SP 800-37, for integrating security, privacy, and supply-chain risk management into the system lifecycle.
● See also
- № 938Risk Tolerance