What is residual risk? How is it different from inherent risk?
Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
Residual risk is important for several reasons. First to consider is that residual risk is the risk left over after security controls and process improvements have been applied. This means that residual risk is something organizations might need to live with based on choices they've made regarding risk mitigation. Or they could opt to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance company.
Residual risk management is also important for compliance and regulatory requirements. For example, International Organization for Standardization 27001 requires this type of risk calculation. Finally, residual risk is important to calculate for determining the appropriate security controls and processes that get priority over time.
Inherent risk vs. residual risk
To calculate residual risk, organizations must understand the difference between inherent risk and residual risk. Inherent risk is the risk present in any scenario where no attempts at mitigation have been made and no controls or other measures have been applied to reduce the risk from initial levels to levels more acceptable to the organization.
Residual risk is the risk remaining after risk management efforts have been made to reduce the inherent risk.
Examples of residual risk
Despite their best efforts, organizations in various industries face residual risk. Examples include the following:
- Banks. Cyberattacks are a key area of residual risk for all financial services providers. Various cybersecurity measures, such as firewalls, encryption and multifactor authentication, are used to reduce residual risk, but banks can remain vulnerable to advanced persistent threats and zero-day exploits.
- Healthcare providers. Hospitals and other healthcare facilities reduce residual risk with a range of infection control procedures. However, hospital-acquired infections remain a risk as various pathogens become resistant to mitigation processes and existing controls.
- Manufacturing. Factories have various safety features, such as machine guards and emergency stop buttons. They also conduct regular safety training. Nevertheless, equipment can malfunction, operator mistakes can happen, and residual risk of workplace injuries persists.
- Supply chain management. Organizations have many strategies to prevent supply chain disruptions. However, natural disasters and geopolitical conflicts can affect transport capabilities and supply chains. Pandemics are a good example of residual supply chain risk that remains despite mitigation efforts.
- Construction. Safety measures, including the use of personal protective equipment, safety inspections and structural engineering reviews, are used to lower the inherent risks that construction companies face. Despite these controls, residual risks remain from unexpected conditions, extreme weather events and undetected structural issues.
How is residual risk calculated?
A classic residual risk formula might look like this:
Residual risk = inherent risk - impact of risk controls
As an example, consider a risk assessment of a ransomware outbreak in a specific business unit. The organization concludes that, in a perfect storm scenario, the inherent risk associated with the outbreak -- i.e., the risk present without any controls or other countermeasures applied or implemented -- could be $5 million.
With new malware detection and prevention controls, as well as an additional emphasis on backups and redundancy, the organization estimates that recovery from ransomware is possible in almost all cases without paying a ransom and waiting for decryption. The cost of all software and controls is $3 million.
The residual risk formula would then look like this:
Residual risk = $5 million (inherent risk) - $3 million (impact of risk controls)
In this case, the residual, or leftover, risk is roughly $2 million.
In a more qualitative risk assessment, imagine that the inherent risk score calculated for a new software implementation is 8 out of 10. By putting firewalls and host-based controls in place, among others, the score is reduced to 3 out of 10. In this scenario, the reduced risk score of 3 represents the residual risk.
Strategies for managing residual risk
Residual risk management comes down to the organization's willingness to adjust the acceptable level of risk in any given scenario. For any residual risk present, organizations can do the following:
- Nothing. Assuming that the residual risk is below the acceptable level of risk in any endeavor, organizations can simply accept that the implemented controls have proved effective enough to reduce the risk to an acceptable level.
- Update or increase controls implemented. In the case that residual risk is still above an acceptable risk level, new or modified controls and processes might be needed to reduce the inherent risk to a level that is deemed acceptable.
- Evaluate controls vs. mitigation costs. In the case where the residual risk is still beyond the acceptable level of risk and the cost of the needed controls and countermeasures is too high, organizations might have to accept the risk, regardless of what residual risk remains.
In general, when addressing residual risk, organizations should take the following steps:
- Identify relevant governance, risk and compliance requirements.
- Determine the strengths and weaknesses of the organization's control framework.
- Acknowledge existing risks.
- Define the organization's risk appetite.
- Identify available options for offsetting unacceptable residual risks.
Residual risk is difficult to get rid of. Find out more ways to mitigate business risk.
