How Can We Help?
Residual Risk
What is Residual Risk?
What is Residual Risk?Residual risk is the risk that remains after efforts to reduce risk have been taken. It can apply to events, actions, or disasters. this risk includes insurance and regulation.
Definitions
The remaining potential risk after all IT security measures are applied. There is a residual risk associated with each threat.
SOURCE: SP 800-33
Portion of risk remaining after security measures have been applied.
SOURCE: CNSSI-4009; SP 800-30
Other Definitions: UN Disaster Risk Reduction
How does it occur?
Inherent risk: These are the risks that exist before any controls are put in place
Risk controls: Safeguards, guidelines, or safety measures that are put in place to reduce risk
Residual risk: The risk that remains after controls are put in place
Examples
In cybersecurity, it could be security gaps that remain even after security measures are implemented
- In project management, they could be a hidden fee for a rental item.
- In insurance, silent cyber is a concept that describes language or sublimits that reduce coverage.
- In regulatory compliance, fines for not filing or not complying may be this form of risk.
Managing it
- Organizations can track this risk and plan for it to reduce its impact
- Organizations can schedule compliance audits to ensure that these risks are managed
- Organizations can develop and support emergency services, preparedness, response, and recovery capacities
