Must be formally documented in risk registers or risk/control matrices.
What is residual risk?
The level of risk that remains in an organization after implementing controls and mitigation measures. It is the risk the organization accepts consciously or unconsciously as part of operations.
Why it matters
Understanding and managing residual risk is critical because: Realistic management: assuming all risks can be eliminated is unrealistic. Identifying residual risks forces prioritization where resources matter most. Regulatory compliance: ISO 27001, NIS2, DORA, and ENS require documenting accepted residual risks. Without this documentation, there is no compliance. Legal accountability: if an incident occurs and the organization had not identified or accepted the residual risk, personal liability of executives is greater. Investment decisions: knowing residual risk helps prioritize where to invest in new controls for maximum impact. Stakeholder confidence: demonstrating that residual risk has been evaluated and that a conscious decision has been made increases the confidence of boards, customers, and investors.
Key points
Acceptance of residual risk must be deliberate and authorized by executive leadership or the CISO.
Not all residual risks are acceptable; those with high criticality require additional controls or alternative mitigation.
Residual risk changes over time: new threats increase risk, new controls reduce it.
Low residual risk does not mean absence of risk; it still requires continuous monitoring and review.
The difference between accepted residual risk and negligence is whether the organization has explicitly documented and authorized that acceptance.
Example of residual risk
A bank identifies that a legacy system contains known vulnerabilities. The inherent risk of exploitation is critical. Controls are implemented: network segregation, intensive monitoring, and access restrictions. Risk is reduced from critical to medium-high. That medium-high level is the residual risk the bank formally accepts because replacing the legacy system would cost 50 million euros and the current control is reasonably effective. Another example: a company identifies that employees have access to sensitive data. The inherent risk of exfiltration is high. Controls are implemented: DLP, access auditing, and training. Residual risk drops to low-medium, which the company accepts because completely eliminating all access is not operationally viable.
Common mistakes
Related terms
Frequently asked questions
What is the difference between inherent risk and residual risk?
Inherent risk is the risk without controls. Residual risk is the risk after applying controls. The difference between them is the impact of the implemented controls.
Who should approve acceptance of residual risk?
Acceptance should be authorized by executive leadership, the CISO, or an equivalent role, depending on criticality. In large organizations, the board may need to be aware of very high residual risks.
Does low residual risk mean there is no risk?
No. Low residual risk means risk is minimal, but not zero. It still requires continuous monitoring because changing circumstances may alter that balance.
How is residual risk formally documented?
Through risk/control matrices, accepted risk registers, meeting minutes authorizing acceptance, or risk policies. Documentation should include what risk is being accepted, why it is accepted, who authorizes it, and when it will be re-evaluated.
What happens if an accepted residual risk is not documented?
Personal liability of executives increases before regulators or in litigation. Regulators may consider the lack of documentation of known risks to be negligence.