Residual risk is the threat that remains after all efforts to identify and eliminate risk have been made.
There are four basic ways of dealing with risk: reduce it, avoid it, accept it or transfer it. Since residual risk is unknown, many organizations choose to either accept residual risk or transfer it -- for example, by purchasing insurance to transfer the risk to an insurance company.
When addressing residual risk, organizations should:
- Identify relevant governance, risk and compliance (GRC) requirements.
- Determine the organization's control framework's strengths and weaknesses.
- Acknowledge existing risks.
- Define the organization's risk appetite.
- Identify available options for offsetting unacceptable residual risks.