Residual risk is the portion of risk remaining after reduction and mitigation efforts to address inherent risks (i.e., the initial level of risks) have been implemented. In other words, it is the probability that a cyber event will still occur despite the risk management strategies in place.
This definition may be a handful, but we will dive deeper into residual risks and its related concepts in the succeeding sections.
Table of Contents
- Deeper Definition of Residual Risk
- Significance of Residual Risk in Risk Management
- Inherent versus Residual Risk: Key Differences
- Calculating Residual Risk
- Examples of Residual Risks
- Types of Residual Risks
- Best Practices for Managing Residual Risk
Residual Risk: A Deep Dive
Deeper Definition of Residual Risk
Even with the best risk management practices in place, modern threats emerge, new vulnerabilities are discovered, and business situations change. All these events pose risks to an organization. For one, reliance on third-party vendors and suppliers is increasingly expanding the attack surfaces of organizations, significantly adding to their risk exposure.
It is important to understand that eliminating all risks is exceptionally difficult, if not impossible. There will always be some level of risk left, making residual risk dynamic. For example, residual risk in cybersecurity can include the risk of a cyber attack even after implementing robust firewalls and intrusion detection systems (IDSs).
The acceptable level of residual risk may vary, depending on factors like an organization’s risk tolerance, the potential impact of the remaining risk, and the cost of further mitigation.
Significance of Residual Risk in Risk Management
Residual risk is a normal part of the risk management process. Acknowledging its presence allows organizations to be realistic about their risk exposure, preventing complacency and encouraging a proactive approach.
Role of Residual Risk in Cybersecurity
In cybersecurity, understanding and preparing for residual risk help organizations build cyber resilience, reducing potential damage and enabling quicker recovery. Resilience is paramount amid the current threat landscape where sophisticated and more prevalent cyber attacks have become common.
Tracking residual risk guides an organization’s resource allocation, a welcome advantage given the global shortage of cybersecurity professionals. Aside from focusing on high-impact risks that can be reduced or mitigated, security teams can also work on areas where residual risk is highest and more severe.
Furthermore, knowing about residual risk helps business leaders make informed decisions.
Impact on Business Operations
Residual risks can significantly affect business operations, making it essential to monitor and prepare for them. Organizations need to have contingency plans in place specifically targeting residual risks. Neglecting to do this can result in:
- Operational disruptions, which can include delays or the complete halt of critical business processes
- Financial losses from data breaches, system downtime, or legal liabilities
- Reputational damage that can lead to loss of customers and brand value
- Regulatory fines stemming from noncompliance with industry regulations
Inherent versus Residual Risk
Inherent risk is the level of unmitigated risk before any security measure is put in place, while residual risk is what remains after implementing security controls and risk mitigation strategies.
For example, a company collects and stores highly sensitive customer data without encryption, access control, or any security measure. The inherent risk of a data breach will be extremely high.
When that same company implements strong encryption, strict access control, employee training, and other security best practices, the risk is much lower but not zero. There is still a residual risk of a data breach that stems from undetected vulnerabilities or unforeseen threats.
Key Differences Explained
Inherent risk is your starting point while residual risk is what’s left after you acted. Their key differences lie in the presence of security controls, risk level, and focus. The table below describes these differences.
| Differences | Inherent Risk | Residual Risk |
| Security controls | No controls in place | Controls are already implemented |
| Risk level | Highest level of risk | Lower level of risk |
| Focus | Identifying the natural level of risk | What remains after efforts to reduce inherent risks |
Calculating Residual Risk
The simplified formula for calculating residual risk is:
Residual risk = Inherent risk — Impact of risk controls This formula is more conceptual than mathematical, since the effectiveness of internal controls can be difficult to quantify. In addition, risks are often qualitative (i.e., high, medium, and low).
Still, the formula above is a good starting point to understand how to calculate residual risk. Diving deeper, we can compute residual risk by following the steps below.
Step 1. Identify and Assess the Inherent Risk
Determine the initial level of risk before any control is implemented, which involves detecting vulnerabilities using vulnerability scanners or external attack surface management (EASM) platforms.
Risk analysis then follows, where the identified vulnerabilities are assessed in terms of potential impact and exploitability. Impact refers to the negative consequences if the risk event occurs, while exploitability considers how easily an attacker can take advantage of the vulnerability the residual risk represents. A risk with high impact and high exploitability should naturally be accorded the highest priority.
For instance, vulnerabilities with a high to critical severity rating based on the Common Vulnerability Scoring System (CVSS) are concerning. They become even more alarming when found on Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog since the vulnerabilities are actually being exploited in the real world.
Step 2. Evaluate Security Measures
The next step is generally assessing the effectiveness of the control measures implemented to mitigate inherent risks. This process involves creating a comprehensive list of all security measures you have in place and evaluating them using metrics and key performance indicators (KPIs).
For example, security teams may want to track the number of attempted intrusions blocked by the firewall, the number of successful phishing email attempts, and the time it takes to patch vulnerabilities.
Step 3. Compute Residual Risk
Use the residual risk formula above (Residual risk = Inherent risk — Impact of security measures) to compute the risk score.
If the inherent risk has a score of 10 and the security control reduces the risk by 70%, the residual risk would be 3 (3 = 10 — (10*70%)) . Generally, a risk score of 3 is considered low, anything beyond that is medium (4-6) and high (7 and above) risk.
Step 4. Reassess and Adjust
Calculating the residual risk is an ongoing process. Regularly review and reassess both inherent and residual risks, as well as the effectiveness of control measures. Adjustments to security controls may be required from time to time to ensure they remain effective over time.
Common Examples of Residual Risks
Residual risks exist in many areas of cybersecurity. Below are some of the most recurring examples of residual risks.
Third-Party Data Breaches
Most entities share data with third-party vendors, such as suppliers and cloud service providers. Organizations can implement strong supply chain security, conduct security assessments, and require compliance and stringent contracts from their vendors as a way to mitigate third-party risks.
However, they cannot completely control the vendors’ security posture. There is always the residual risk that a third party may suffer a breach and expose the organization’s data.
Insider Threats
Employees, contractors, and other entities with legitimate access to an organization’s systems can pose risks, such as human error, data theft, and espionage. While these risks can be mitigated by implementing background checks, strict access controls, and security awareness training, someone with authorized access can still make a mistake or go rogue.
In fact, a report revealed that 83% of organizations reported at least one insider attack in 2024.
System Vulnerabilities
Even with rigorous vulnerability scanning, patching, and management, there’s always a chance of zero-days or undiscovered potential vulnerabilities being exploited. On top of this is the complexity of modern IT systems, making it difficult to secure every component. All these factors contribute to an organization’s residual risks. Shadow IT, for example, can create hidden assets, each with its own vulnerabilities.
Ransomware Attacks
Even with the strongest security measures, there is always a chance that a sophisticated ransomware attack can bypass cyber defenses. It can be through a system vulnerability, human error, or zero-day exploitation.
Regardless of attack vector, it is important to consider ransomware as a residual risk to emphasize the need for multiple layers of security and the importance of incident response planning.
Types of Residual Risks
Residual risks can be categorized into four—operational, financial, strategic, and compliance risks.
Operational Risk
Operational risk refers to potential losses arising from an organization’s daily activities and processes. These risks can stem from several factors, including human error, system failure, and cyber events.
Employees can still make mistakes even with training and clear operational procedures. Critical equipment may unexpectedly malfunction despite regular maintenance. Meanwhile, cyber attacks have become the most common culprit behind operational downtime, compounding the risks businesses must navigate.
Additionally, operational risks can arise from external events outside an organization’s direct control, such as natural disasters or supply chain disruptions.
Financial Risk
Financial risk involves the potential for negative impact on an organization’s finances. While robust financial controls and risk management programs can eliminate a certain portion of financial risk, residual risk persists because of the inherent unpredictability of financial markets and economic conditions. Some examples of financial risk include:
- Market fluctuations
- Credit default
- Fraud
- Liquidity problems
Cyber threats also pose significant financial risk, with the International Monetary Fund (IMF) revealing that financial losses due to cyber incidents have increased by more than 400% since 2017 to US$2.5 billion.
Strategic Risk
Strategic risks threaten an organization’s ability to achieve long-term objectives.
These risks stem from uncertainties in the external environment and can significantly impact future performance. For example, even with extensive market research and strategic planning, shifts in consumer preferences can unexpectedly decrease demand for an organization’s products or services. Similarly, the introduction of new technologies or disruptive competitors can rapidly erode existing market share.
Malicious attacks can also pose a strategic risk to organizations. AI platform DeepSeek, for example, had to temporarily stop new user registrations due to a large-scale malicious attack, potentially delaying DeepSeek’s market expansion.
Compliance Risk
Compliance risk arises from an organization’s failure to adhere to the compliance requirements of applicable laws and regulations, potentially leading to legal penalties and reputational damage. Compliance risk can stem from several factors, such as regulatory changes, cyber incidents, and human error.
Organizations may employ proactive measures like regular policy reviews and employee training to help achieve and maintain compliance. However, they cannot eliminate all compliance risks.
A glaring example is the penalty imposed by the US Securities and Exchange Commission (SEC) on four companies for violating regulatory requirements on disclosure during the SolarWinds supply chain attack.
Best Practices for Managing Residual Risk
Effectively managing residual risk in cybersecurity requires a proactive and comprehensive approach. Here are some best practices to consider.
Risk Transfer and Acceptance
As previously mentioned, eliminating all risks is not entirely possible. Hence, organizations can transfer residual risks to a third party where appropriate, such as by using insurance. Furthermore, organizations may need to accept some level of risk, specifically certain low-impact, low-likelihood risks. Risk acceptance means you’re willing to take on the potential consequences if the risk becomes a reality.
Technology Usage
Use EASM and other security platforms embedded with advanced technologies like artificial intelligence (AI) and machine learning (ML) to enhance risk detection and response capabilities.
These tools can automatically catalog an organization’s assets, including those that may be unknown or forgotten. They also perform continuous vulnerability scanning and prioritization, allowing for regular identification of residual risk.
Continuous Residual Risk Assessment
Regularly reassess both inherent and residual risks to stay updated on new threats and vulnerabilities. As much as possible, use a consistent methodology in evaluating the exploitability and impact of risks (e.g., CISA KEV and CVSS).
Residual Risk Prioritization
Prioritization of residual risk is a key element in effective risk management. While residual risks are what remain after initial efforts to reduce risks, they are still a threat and need to be managed diligently.
Just like inherent risks, there needs to be a structured ranking process of residual risks. This normally entails comparing each risk against two main criteria—severity and exploitability. The risk appetite of the organization might also be factored in, dictating which residual risks are tolerable and which need to be further mitigated.
Comprehensive Incident Response Planning
Certain residual risks cannot be avoided and will ultimately occur. Thus, planning for the unavoidable through thorough incident response plans is important as they help minimize the impact of these potential events.
Incident response plans must specify detailed procedures for detection, containment, and recovery from incidents. They must also specify roles and responsibilities, communication procedures, and escalation procedures to facilitate a coordinated and effective response.
But having a plan on paper is not enough. Periodic testing of these plans through exercises and drills are required to enable teams to familiarize themselves with procedures and locate any gap or weakness in the plan.
Foster a Risk-Aware Culture
Employees in all levels should understand the importance of risk management and recognize their individual roles in identifying and mitigating potential threats. Education and training programs should emphasize an organization’s risk appetite, the types of risk they face, and established risk management processes.
Creating a culture where employees feel comfortable reporting potential risks without fear of reprisal is equally important. A safe reporting environment encourages open communication and allows for the early detection of potential security threats.
Key Takeaways
- Residual risk is the portion of risk remaining after implementing risk reduction and mitigation efforts against inherent risks.
- Eliminating all risks is nearly impossible, so some residual risk is always present.
- Recognizing and managing residual risk is crucial for cyber resilience.
- Inherent risk is the risk before any control is put in place, while residual risk is what remains after implementing controls.
- Residual risk is often calculated using the formula: Residual risk = Inherent risk – Impact of security measures.