What is Residual Risk?

Residual risk is the risk that remains after security measures and controls have been put into place. You can also think of residual risk as the inherent risk. When you first identify a risk, and work to mitigate the risks you find unacceptable, you will be able to eliminate most of them, but not all of them. This is simply because it is not possible to eliminate all risks. The risks that remain are known as the residual risks.

Why is identifying residual risks important?

Identifying, monitoring and understanding residual risks is essential for your business as it ensures you are able to confidently and correctly identify how these potential security threats can negatively impact your business. Without fully understanding the entire picture of how your organization is protected, and what risks threaten your organization, you will not be able to make informed security decisions.

Monitoring residual risk is not only integral for the health of your organization, but is also a necessity for ISO 27001 regulations.  It is these regulations that help organizations measure how safe and secure their information assets are before, during and after sharing them with vendors and third parties.

How is Residual Risk related to Acceptable Level of Risk?

The purpose of residual risks is to find out whether the planned treatment is sufficient. The question is: how do you know what is sufficient? This is where the concept of acceptable level of risks comes into play – it is nothing else but deciding how much ‘risk appetite’ an organization has, or in other words whether the management thinks it is fine for a company to operate in a high-risk environment where it is much more likely that something will happen, or the management wants a higher level of security involving a lower level of risk.

Both approaches are allowed in ISO 27001 – each organization has to decide what is appropriate for its circumstances (and for its budget). The former approach is probably better for high-growth startup companies, while the latter is usually pursued by financial organizations.

Residual Risk Management

When it comes to identifying and measuring residual risk, there are three main paths to choose for managing them:

1. If the level of risks is below the acceptable level of risk, then you should not take action – the management needs to formally accept those risks and monitor them to ensure they do not become more serious. 
2. If the level of risks is above the acceptable level of risk, then your organization needs to identify new ways to mitigate these risks and reassess the residual risks after mitigation.
3. If the level of risks is above the acceptable level of risk, but the costs of decreasing the risks is higher than the impact of the risks, then you may consider these risks acceptable. It is advised to methodically monitor these risks to ensure they do not become unacceptable and pose bigger threats. 

When deciding what to do with residual risk, your organization should have a systematic approach. Digging deep into risks will allow for better practice within your organization, save you time and money, and will help you better determine next steps.