Residual risk is the amount of risk associated with an action, event or situation remaining after natural or inherent risks have been reduced by risk controls measures.
Also, according to ISO 27001, it is “the risk remaining after risk treatment”.
The general formula to calculate it is:
Residual risk = Inherent risk – Impact of control
Based on the formular for calculating residual risk, we have already explained what residual risk is all about, let us now explain other parameters in the formular:
- Inherent risk: This is the amount of risk that exists in the absence of controls or when other mitigating factors are not in place. It is also known as the risk before controls or gross risk.
- Impact of risk controls: This is the amount of risk eliminated, mitigated or hedged by taking internal or external risk controls.
Read Also: Risk Control – Hierarchy of control
If you are still not so clear about what a residual risk is:
Take for instance – After carrying out risk assessment in your workplace, you adopt risk control measures to manage the risk identified, some risks will remain at a certain level after the control, this is what is called residual risks.
Note: These risk must still be managed the same way you managed the complete risk.
NOTE: The purpose of residual risks is to find out whether the planned treatment is sufficient.
How to manage residual risk
- If the level of risks is below the acceptable level of risk, then you do nothing.
- If the level of risks is above the acceptable level of risk, then you need to find out some new ways to mitigate those risks.
- If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, than you need to propose to the management to accept these high risks.