residual risk

Contributor(s): Fran Sales

Residual risk is the threat that remains after all efforts to identify and eliminate risk have been made. 

There are four basic ways of dealing with risk: reduce it, avoid it, accept it or transfer it. Since residual risk is unknown, many organizations choose to either accept residual risk or transfer it -- for example, by purchasing insurance to transfer the risk to an insurance company.  

When addressing residual risk, organizations should: 

  • Identify relevant governance, risk and compliance (GRC) requirements.
  • Determine the organization's control framework's strengths and weaknesses.
  • Acknowledge existing risks.
  • Define the organization's risk appetite.
  • Identify available options for offsetting unacceptable residual risks.

See also: speculative risk, pure risk, operational risk, key risk indicator 


This was last updated in April 2014

Continue Reading About residual risk

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.


File Extensions and File Formats

Powered by:





  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...