Residual Risk

What is Residual Risk?

Residual risk is the byproduct of managed risk that remains after controls are implemented. Residual risk is measured by subtracting the quantified efficiency of your overall risk management program from your inherent risk factors. The risk that remains in a given context based on the current mitigating controls is called residual risk.

When it comes to risk management, at some point the question of “When do we stop?” is going to be asked. Risk can never be fully eliminated, and residual risk will always be present. Many businesses invest valuable time and resources to create risk management strategies, but few measure the effectiveness of their efforts. 

The point at which we stop mitigation efforts is defined by risk acceptance. Risk appetite or risk tolerance levels are used as the basis for decision-making and justification of acceptable risk. The level of residual risk compared to your risk appetite is a good indicator of the effectiveness of your overall risk management.

Residual Risk

What is the Formula for Residual Risk?

To better understand what residual risk is, we can take a look at the classic formula that is used to calculate it.

Residual risk = Inherent Risk – Impact of Mitigation Controls

What is the relationship between inherent risk vs. residual risk?

Inherent Risk is the risk that an entity is exposed to before mitigation factors are put in place. Also termed “gross risk”, inherent risk is the full scope of risks in the absence of mitigation controls.

The impact of Mitigation controls is the amount of risk eliminated or mitigated by implementing risk controls.

In an ideal world, risk should be eliminated completely, but in reality, it is not possible to get down to the zero mark and there will always be some level of residual risk. A low residual risk cyber security score after running the formula means that risk mitigation controls are effective and tolerable.

In a quantitive risk assessment, the numbers placed in the formula are monetary amounts. Risk is translated to a concrete financial sum, and the residual risk is the dollar amount that is at risk of being lost should a given scenario occur with the mitigation controls implemented. In a more qualitative risk assessment, risk assessments are usually carried out by using risk scores. 

How To Calculate Residual Risk: Practical Steps

  1. Identify and calculate inherent risk
    1. Identify the threat landscape and assign a threat probability level.
    2. Determine the severity of the risk and calculate the inherent cybersecurity risk factors

To gauge the risk’s severity, consider the potential business impact. An important business unit with a short recovery duration demonstrates a high level of criticality and would, thus, have a significant impact on the company should a disruption occur, in contrast to a business unit with a considerably longer recovery timescale.

In a qualitative risk assessment, a high score means that the scenario has a high inherent risk and a  lower score means that it has a low inherent risk.

  1. Identify risk tolerance level

Based on the inherent risk cybersecurity level, you will need to determine how much risk you’re willing to accept. The less risk you’re willing to accept, the tighter the mitigation controls you will need and the more effort you will need to invest in mitigation efforts. 

You can calculate your measure of risk tolerance by multiplying the percentage of risk tolerance times the inherent risk factor. The resulting number is your risk tolerance level.

  1. Assess and score your mitigating controls.

Evaluate each of your mitigating controls against the standard or risk framework your risk strategy is based on. Determine if your recovery and mitigation plans are in line with the guidelines of the standard. Score each control by its effectiveness and qualifications outlined in the standard.

  1. Calculate your residual risk.

Now you are ready to complete the residual risk calculation. Subtract the mitigating control score from the inherent risk calculation. Compare the resulting number to the risk factor-tolerance number. If it’s equal to or higher than the risk factor-tolerance number, you are well within the tolerance range. The mitigation plan you’ve created is acceptable.

If the result is less than your tolerance for risk, the strategy is insufficient. Depending on how far off the mark you are, you may need to take further action to improve the efficacy of your risk mitigation plan.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about Residual Risk

Are Residual Risks Always Accepted?

Residual risks are not always accepted risks. After identifying a risk mitigation plan, the residual risks are recalculated. The objective of the introduction of control is to eliminate or lower identified risks. If the residual risks are acceptable due to the adopted corrective actions, then the residual risk is called an acceptable risk. If the risk is still above the threshold, a reassessment of the problem is warranted and an introduction of new ideas to lower the risks is necessary.

This does not mean, however, that once accepted the risks will not change in forthcoming repetitions of the risk management life-cycle. Within the recurring phases and activities of the Risk Management processes the severity of these risks will be measured over time. If new assertions are made or changing technical conditions are identified, risks that have been accepted need to be reconsidered.

How Are Residual Risks Managed?

Managing residual risk comes down to choosing one of the following practices:

  • Accept and Done. If the residual risk is below the acceptable threshold of risk, you can simply accept it.
  • Reevaluate Controls and Further Reduce Risk. New or updated controls and procedures might be required to lower the inherent risk to a level that is regarded as acceptable if the residual risk is still higher than the acceptable risk level.
  • Transfer Risk. Residual risk can be transferred to another entity, for example, by purchasing insurance to place the risk on an insurance company.

Can Centraleyes Help you with Residual Risk Calculation?

Centraleyes is designed to provide security and risk management teams with a simple method to evaluate risk. You can easily assess the risk factor of each business unit, calculate the effectiveness of mitigating controls and evaluate them, establish risk tolerance levels, and perform a residual risk calculation for each business asset. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Want to talk to Centraleyes about Residual Risk?

Related Content

 Data Subprocessor

 Data Subprocessor

What is a Data Subprocessor? A Data Subprocessor is a third party engaged by a Data…
Threat-Based Risk Assessment

Threat-Based Risk Assessment

What is a Threat-Based Risk Assessment? Threat-Based Risk Assessment is an approach that incorporates real-time threat…
Semi-Quantitative Risk Assessment

Semi-Quantitative Risk Assessment

Various methodologies are employed to identify, evaluate, and mitigate risks. Among these methodologies, semi-quantitative risk assessment…
Skip to content