Residual risk is the level of risk that remains after all identified controls and mitigation measures have been applied. No control environment can eliminate risk entirely, so residual risk represents the exposure an organisation consciously accepts. It is calculated by considering the original risk level minus the effectiveness of implemented controls.
Understanding residual risk is essential for informed decision-making by senior management. If the residual risk exceeds the organisation's defined risk appetite, additional controls must be implemented or the risk must be transferred, for instance through insurance. Documenting residual risk in the risk register ensures ongoing visibility and facilitates periodic reassessment.