What is Residual risk?

Understanding Residual risk

The risk remaining after security controls have been put in place as a means of risk mitigation. Residual risk is the threat exposure that remains after security controls have been implemented. No security program can eliminate all risk so understanding documenting and accepting residual risk is an essential part of risk management. Residual risk must be evaluated against the organizations risk tolerance. Residual risk assessment is required by frameworks like ISO 27001 NIST RMF and various regulatory standards. Organizations manage residual risk through formal risk acceptance processes periodic reassessment exception tracking and additional compensating controls when needed. For example after implementing encryption and access controls for a cloud-based customer relationship management system a company might formally document the residual risks such as the possibility of insider threats or zero-day vulnerabilities and have executives sign off on accepting these risks after confirming they fall within organizational risk tolerance levels. Related terms Risk acceptance Risk mitigation Risk tolerance Risk appetite Inherent risk Compensating control Risk treatment Risk register.