Glossary · Compliance concepts

What is Residual Risk?

Also known as: Remaining Risk, Net Risk, Accepted Risk

Residual risk is the risk that remains after controls and other treatments have been applied. No safeguard eliminates risk entirely, so a measurable amount persists, and leadership must formally decide to accept, further treat, or transfer it. Documenting and accepting residual risk is a core requirement of risk-based frameworks like ISO 27001.

Key takeaways

  • Residual risk is what is left after controls reduce inherent risk.
  • It can almost never be driven to zero, only to an acceptable level.
  • Leadership must formally accept residual risk, usually in writing.
  • ISO 27001 requires documented residual risk acceptance by risk owners.
  • Residual risk should be reviewed as threats and controls change.

Inherent risk versus residual risk

Inherent risk is the exposure that exists before any control is applied. Once controls reduce that exposure, what remains is residual risk. The difference between the two is a useful measure of how much a control program actually buys.

Reducing residual risk is the goal of risk treatment, which selects and applies controls to bring exposure within an organization's risk appetite.

Crucially, residual risk is rarely zero. Even strong controls have limits, and pushing risk lower eventually costs more than the reduction is worth.

Why residual risk must be formally accepted

Once an organization has treated a risk as far as is practical, someone with authority has to decide whether the leftover exposure is tolerable. That decision is risk acceptance, and it is a deliberate management act rather than a technical one.

Under ISO 27001, organizations must obtain risk owners' approval of the residual information security risks and document that acceptance. This creates accountability and an audit trail.

Accepting residual risk without documentation is a common audit finding, because it leaves no evidence that leadership knowingly took on the exposure.

Keeping residual risk current

Residual risk is not static. New threats, system changes, and failing controls can all raise it, while new safeguards can lower it. A control that was effective last year may have drifted out of compliance today.

This is where continuous control monitoring helps: by detecting control drift early, it keeps the residual risk picture honest rather than letting it quietly grow between annual reviews.

  • Reassess residual risk when controls change or fail.
  • Re-evaluate when new threats or assets enter scope.
  • Re-confirm acceptance on a defined cadence, not just once.
  • Tie residual risk back to the specific controls that influence it.

Frequently asked questions

Can residual risk ever be reduced to zero?
Practically never. Controls reduce risk but cannot eliminate it, and the cost of chasing the last increment usually outweighs the benefit. The goal is to bring residual risk within the organization's risk appetite.
Who is allowed to accept residual risk?
Acceptance must come from someone with the authority to own the risk, typically a designated risk owner or senior leader. Frameworks like ISO 27001 require this acceptance to be documented.
What is the difference between accepting and transferring residual risk?
Accepting means the organization retains the leftover risk, while transferring shifts some of it elsewhere, for example through insurance or a contractual arrangement. Both are valid treatment outcomes.
How does residual risk relate to compensating controls?
A compensating control rarely matches the original requirement exactly, so it often leaves additional residual risk that leadership must explicitly understand and accept.

Authoritative sources

← Back to the glossary