What is residual risk and why should an organization understand its importance?
Let’s say your organization has identified a risk. You have gone through the entire risk management process and have implemented the approved controls in order to mitigate this risk. Most of the time, it truly is just “mitigation” of the risk happening, not complete removal of the risk. This means that there is still a small amount of risk left over that the control does not protect against; this is the residual risk.
Residual risk is not always a bad thing; however, it is important for an organization to know that it exists. There should never be the portrayal that a certain control has completely eliminated a specific risk (unless on the rare occassion that is truly the case). Senior leaders within the organization must be aware of this residual risk so that they can make the decision on whether or not to change the control, add another control, or to just accept the risk altogether and move on. The decision to accept the risk can only be made by the leadership, so they must be made aware of it. While usually unlikely, it is still possible for a malicious or otherwise bad event to take place via this residual risk.
Just remember, even after controls have been put in place to protect against a threat, there is usually always still risk that remains! Identify it, and then either accept it or implement additional controls to protect from it.