Importance of Residual Risk

The term ‘residual risk’ is mandatory in the risk management process according to ISO 27001, but is unfortunately very often used without appreciating the real meaning of the concept. According to ISO 27001, residual risk is “the risk remaining after risk treatment”.

How it works:

  • First we have to identify the risks, and then
  • We need to mitigate the risks we find unacceptable (i.e. treat them)
  • Once we treat the risks, we won’t completely eliminate all the risks because it is simply not possible
  • That’s why some risks will remain at a certain level, and this is what residual risks are.

The point is, the organization needs to know exactly whether the planned treatment is enough or not. Residual risks are usually assessed in the same way as perform the initial risk assessment – we use the same methodology and the same assessment scales. It is also important to note that the enterprise architect may identify the risks and mitigate certain ones, but it is within the governance framework that risks have to be first accepted and then managed.

There are two levels of risk that should be considered, namely:

  • Initial Level of Risk: Risk categorization prior to determining and implementing mitigating actions.
  • Residual Level of Risk: Risk categorization after implementation of mitigating actions (if any).

How is it related to acceptable level of risk?

Acceptable level of risks is nothing else but deciding how much ‘risk appetite’ an organization has or in other words whether the management thinks it is fine for a company to operate in a high-risk environment where it is much more likely that something will happen, or the management wants a higher level of security involving a lower level of risk.

Residual risk management: Once we find out what residual risks are, what do we do with them? Basically, we have these three options:

  • If the level of risks is below the acceptable level of risk, then do nothing – the management needs to formally accept those risks.
  • If the level of risks is above the acceptable level of risk, then need to find out some new (and better) ways to mitigate those risks – that also means we’ll need to reassess the residual risks.
  • If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, than we need to propose to the management to accept these high risks.

Request Quote

You are here: Home Blog Importance of Residual Risk


"Excellent Program, very informative & practical"

Saurav Mondal, LG Electronics

More satisfied clients...

Contact us

  • Tel: +91-9810189048
  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Web:
  • Add: C-9/36-FF, Palm Floors
    Ardee City, Sector-52, Gurgaon