Definition

residual risk

Francesca Sales, Site Editor

Residual risk is the threat that remains after all efforts to identify and eliminate risk have been made.

There are four basic ways of dealing with risk: reduce it, avoid it, accept it or transfer it. Since residual risk is unknown, many organizations choose to either accept residual risk or transfer it -- for example, by purchasing insurance to transfer the risk to an insurance company.

When addressing residual risk, organizations should:

Identify relevant governance, risk and compliance (GRC) requirements.
Determine the organization's control framework's strengths and weaknesses.
Acknowledge existing risks.
Define the organization's risk appetite.
Identify available options for offsetting unacceptable residual risks.

This was last updated in April 2014

Continue Reading About residual risk

Review five steps to identifying residual risk in the risk assessment process

Learn the operational and compliance risks associated with outsourcing

Read this ISO27k FAQ for common questions regarding risk assessment and management

Watch this video on how to be more proactive in your risk assessments

Check out the Information Security Handbook's residual risk formula

residual risk

Continue Reading About residual risk

Dig Deeper on Risk management and compliance

How to perform a cybersecurity risk assessment, step by step

5 steps to determine residual risk during the assessment process

pure risk (absolute risk)

Acquiring cybersecurity insurance: Why collaboration is key

Continue Reading About residual risk

Related Terms

Dig Deeper on Risk management and compliance

How to perform a cybersecurity risk assessment, step by step

5 steps to determine residual risk during the assessment process

pure risk (absolute risk)

Acquiring cybersecurity insurance: Why collaboration is key