residual risk

Residual risk is a threat that remains after an organization has implemented security controls to comply with legal requirements.

Residual risk is the threat that remains after all efforts to identify and eliminate risk have been made. 

There are four basic ways of dealing with risk: reduce it, avoid it, accept it or transfer it. Since residual risk is unknown, many organizations choose to either accept residual risk or transfer it -- for example, by purchasing insurance to transfer the risk to an insurance company.  

When addressing residual risk, organizations should: 

  • Identify relevant governance, risk and compliance (GRC) requirements.
  • Determine the organization's control framework's strengths and weaknesses.
  • Acknowledge existing risks.
  • Define the organization's risk appetite.
  • Identify available options for offsetting unacceptable residual risks.

See also: speculative risk, pure risk, operational risk, key risk indicator 

 

This was first published in April 2014

Continue Reading About residual risk

Glossary

'residual risk ' is part of the:

View All Definitions

Dig deeper on Risk management and compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close