What type of risk remains after the implementation of new or enhanced controls?

Your company is covered under a liability insurance policy, which provides various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques is your company using

The ____________ is the risk that remains after the implementation of new or enhanced controls

seenagapeSeptember 29, 2014

Fill in the blank with the appropriate phrase. The ____________ is the risk that remains after the
implementation of new or enhanced controls.

Answer: residual risk

residual risk

Show Answer


Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.

Residual risk is important for several reasons. First to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied. This means that residual risk is something organizations might need to live with based on choices they've made regarding risk mitigation. Or they could opt to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance company.

Another reason residual risk consideration is important is for compliance and regulatory requirements -- for example, International Organization for Standardization 27001 stipulates this risk calculation. Finally, residual risk is important to calculate for determining the appropriate types of security controls and processes that get priority over time.

Residual risk vs. inherent risk

To calculate residual risk, organizations must understand the difference between inherent risk and residual risk.

Inherent risk is the risk present in any scenario where no attempts at mitigation have been made and no controls or other measures have been applied to reduce the risk from initial levels to levels more acceptable to the organization.

Residual risk, as stated, is the risk remaining after efforts have been made to reduce the inherent risk.

How is residual risk calculated?

Thus, a classic residual risk formula might look something like this:

Residual risk = inherent risk - impact of risk controls

As an example, consider a risk analysis of a ransomware outbreak in a specific business unit. The organization concludes that, in a perfect storm scenario, the inherent risk associated with the outbreak -- i.e., the risk present without any controls or other countermeasures applied or implemented -- could be $5 million.

This article is part of

What is risk management and why is it important?

  • Which also includes:
  • governance, risk management and compliance [GRC]
  • risk avoidance
  • risk map [risk heat map]


Download this entire guide for FREE now!

With new malware detection and prevention controls, as well as an additional emphasis on backups and redundancy, the organization estimates that recovery from ransomware is possible in almost all cases without paying a ransom and waiting for decryption. The cost of all solutions and controls is $3 million.

The residual risk formula would then look like this:

Residual risk = $5 million [inherent risk] - $3 million [impact of risk controls]

In this case, the residual, or leftover, risk is roughly $2 million.

In a more qualitative risk assessment, imagine that the inherent risk score calculated for a new software implementation is 8 out of 10. By putting firewalls and host-based controls in place, among others, the score is reduced to a 3 out of 10. In this scenario, the reduced risk score of 3 represents the residual risk.

How is residual risk managed?

Managing residual risk comes down to the organization's willingness to adjust the acceptable level of risk in any given scenario. For any residual risk present, organizations can do the following:

What kind of risk remains after implementing controls within your organization?

Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made. Residual risk is important for several reasons. First to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied.

Which type of risk refers to the risk that remains even after controls are implemented?

Residual risk is the risk that remains after controls are accounted for. It's the risk that remains after your organization has taken proper precautions.

What is defined as the remaining risk after the controls have been identified?

Residual Risk – Risk remaining after controls have been identified, selected, and implemented.

Which risk is the risk before controls are applied?

Inherent Risk is typically defined as the level of risk in place in order to achieve an entity's objectives and before actions are taken to alter the risk's impact or likelihood. Residual Risk is the remaining level of risk following the development and implementation of the entity's response.

Chủ Đề