Published on: Jan 12, 2022
Inherent vs. Residual Risk, and How To Manage Them
In recent years, organizations have spent a tremendous amount of effort shifting to the cloud, enhancing their digital infrastructures, and improving data accessibility. The pandemic accelerated the transition to remote work, increasing reliance on cloud data storage, 60% of all corporate data stored in the cloud, as of 2023. However, this shift has exposed organizations to new threats and magnified existing inherent risks and residual risks. Confidential data, once securely confined within company premises, is now stored online through cloud computing providers and accessible to employees working remotely. This raises a critical question: could this confidential data also be accessible to cybercriminals?
This new era of remote work comes with its own set of risks. Risk, in general, can be defined as a situation involving exposure to danger. Risk is inherent in nature. Risk is an innate part of life, and we make decisions in each moment of each day to avoid risks and remain safe. When walking across the street we look both ways, we put on a seat belt when we get in the car, we are aware of hot coffee when a child comes near – risks are all around us, and avoiding them is second nature.
What we are not as accustomed to in daily life is avoiding risks online. According to recent studies, a cybercrime takes place every 39 seconds, with ever-evolving tricks and techniques. These numbers suggest that the risks an organization faces at any point in time are also evolving.
Organizations can categorize these risks into two main types: Inherent Risk and Residual Risk.
What Is Inherent Risk?
The simplest and most widely used definition of inherent risk is risk without any applied security controls. For example, imagine a retail organization that has never trained its employees against social engineering attacks. If a social engineering attack happens in this scenario, it will be due to the inherent risk that exists because of a lack of proper training. The possibilities of risks are endless in the absence of appropriate security controls.
The good news is that inherent risks are avoidable!
Most of the risk can be mitigated by applying appropriate security controls. The survival and safety of your organization depend upon the information security measures it takes. The inherent risk is the foundation on which an organization designs its security policies and procedures. It must be assessed correctly to ensure the security of private information.
In the previously discussed scenario, you can mitigate the risk by carrying out annual awareness training for your employees. Another way to protect against the risk of social engineering attacks would be to train employees how to protect themselves during the onboarding process of new recruits.
That's it? That is doable!
If only that was the end of the story. Unfortunately, protecting ourselves against risks will not make us risk-proof. There is another type of risk that you should be aware of which is a tad bit more stubborn than the former. That is the Residual Risk.
What Is Residual Risk?
Residual risk is defined as the leftover risk after the mitigating controls have been applied to minimize the inherent risk. It can be calculated using the following formula:
Residual Risk = Inherent Risk – Impact of applied controls
Mitigating risks completely is challenging. For example, wearing a seatbelt mitigates the inherent risk associated with vehicular transportation, but it does not entirely eliminate the possibility of injury in an accident—this is the residual risk.
Residual risk is what remains after risk treatment has been carried out. Depending on the likelihood and impact of this risk, an organization may choose to treat, avoid, transfer, or accept it. For example, even if a company conducts regular phishing awareness training for its employees, residual risk persists. An employee might miss the training, not pay attention, or inadvertently fall victim to an attack.
The first step in the risk management process is to assess and identify all existing inherent risks to your business. Once identified, these risks should be categorized based on their impact on the business, and unacceptable risks should be treated by applying controls. The remaining risk after this process is the residual risk.
Quantitative and Qualitative Examples of Residual Risk Calculation
To truly understand residual risk, it helps to see how organizations actually calculate it—both with numbers and broader assessments.
Quantitative Example
Imagine a financial institution assessing the potential impact of a ransomware attack. The risk team estimates that, without any defenses in place, the total loss could reach $5 million. The organization then invests in advanced anti-malware tools, regular system backups, and employee training, reducing the projected potential loss by $3 million.
The math is simple:
Original (Inherent) Risk: $5 million
Impact of Controls: $3 million
So, the residual risk would be:
Residual Risk = Inherent Risk – Impact of Controls
Residual Risk = $5 million – $3 million = $2 million
Even after investing in controls, the company faces a remaining potential loss of $2 million—this is the risk that simply cannot be erased.
Qualitative Example
Let’s look at a less numbers-heavy scenario. Say a healthcare provider is implementing a new electronic records system. Their initial risk assessment gives this project an inherent risk score of 8 out of 10, considering patient data sensitivity and regulatory requirements.
After adding multi-factor authentication, running regular security audits, and providing refresher training to staff, the team reassesses the risk and gives it a 3 out of 10. That new score—3—represents the residual risk still present after all those efforts. It’s lower, but not zero.
Whether dealing with dollars or risk scores, the key takeaway is the same: even the best controls leave some measure of risk that must be acknowledged and managed.
Real-World Examples of Residual Risk
No matter how many controls are in place, residual risk lingers across all industries, each facing its own flavor of the unexpected. Here’s a look at how this plays out in real scenarios:
Banking: Even with firewalls, multi-factor authentication, and the latest encryption from trusted providers like Symantec and Cisco, banks remain potential targets for clever cyber attackers who continuously invent new ways to breach defenses. Think of it as locking all your doors and windows, but recognizing that a determined burglar might still break in.
Healthcare: Hospitals go above and beyond to prevent infections with antibacterial protocols, isolation procedures, including the whole nine yards. Yet, antibiotic-resistant bacteria can still rear their ugly heads, posing hazards even in the most sanitized wards.
Manufacturing: Automated safety systems, physical guards on machinery, and regular drills all make factory floors safer. However, accidents can still occur, whether due to an unexpected machine malfunction or simple human error.
Supply Chain: Organizations rely on well-honed logistics, diversified suppliers, and contingency plans, yet there’s always the wildcard: hurricanes, global pandemics, or geopolitical conflicts. These can derail the most carefully orchestrated supply chain overnight.
Construction: From required hard hats to routine safety inspections and rigorous engineering checks, the construction industry doesn’t cut corners on safety. Even so, surprises like severe weather or hidden structural issues can introduce risks no checklist could have flagged.
No matter the sector, residual risk serves as a reminder that perfect security is a myth. What matters is knowing what risks remain and having a plan for when the unexpected happens.
Why is Residual Risk Important?
ISO-27001 mandates residual risk mitigation as a cri tical component of the risk management process. For compliance, organizations must monitor their residual risks, which help the security and audit teams determine whether the applied treatment plans are effective. The best practice is to set a threshold for risk appetite, which defines the acceptable level of risk that the organization can bear without affecting business operations. The goal is to keep the residual risk within this threshold.
Risk management is an ongoing cycle. It begins with identifying inherent risks, which are then mitigated through control measures. The resulting residual risk is assessed to determine if it falls below the acceptable threshold.
If not, the cycle repeats until the risk is brought within acceptable levels. The concept of inherent risk, along with control risk and detection risk, plays a crucial role in this process. Financial reporting, internal controls, and audit procedures are essential in maintaining this balance.
Risk Management Outcomes
Identifying residual risk is not enough, one must have a plan to address all the possible outcomes of this complex process. A strategic roadmap to risk management is a document that lists key elements of the risk management process, the possible outcomes of which can be categorized as:
Risk Tolerance: Organizations must determine their level of risk tolerance, below which all risks are considered acceptable. Accurate assessment of inherent risk factors is key to effective risk management.
No Action Required: If the residual risk is below the risk tolerance threshold, no further action is needed.
Additional Mitigation Techniques: Often, residual risk will exceed the risk tolerance threshold, requiring additional controls. This involves reassessing inherent risk and devising a new treatment plan. In practice, organizations have several options when faced with residual risk: Take No Further Action, Enhance or Update Controls, and Weigh Cost vs. Benefit. This structured approach ensures that every residual risk is thoughtfully considered, balancing risk reduction with organizational priorities and resources.
Re-evaluation of Risk: Risk management is iterative. Each time residual risk exceeds the acceptable threshold, reassessment is needed to determine the effectiveness of the applied controls.
Cost Analysis: When residual risk cannot be reduced below a certain point, a cost analysis is necessary to determine if the cost of further controls outweighs the potential impact of the risk.
Documentation and Reports: Documenting all risk management activities and outcomes is crucial for compliance and audit purposes.
Steps to Address Residual Risk
Beyond simply categorizing outcomes, organizations should take a methodical approach to managing residual risk:
Identify governance, risk, and compliance requirements: Ensure all regulatory, industry, and internal mandates are understood and accounted for.
Evaluate the control framework: Assess the strengths and weaknesses of existing controls to understand where your risk posture stands.
Acknowledge existing risks: Accept that no control environment is perfect, transparency about residual risks is key.
Define risk appetite: Clearly articulate what level of risk is tolerable for your organization and communicate this across departments.
Weigh controls against mitigation costs: Sometimes, the investment required to further reduce risk is not justified by the potential reduction in impact. Organizations must balance these costs thoughtfully.
Identify options for addressing unacceptable risks: Consider transferring risk (e.g., through insurance), implementing new controls, or, in some cases, accepting the risk where further treatment is impractical.
By incorporating these practices, organizations ensure their approach to residual risk is both structured and adaptable. This ongoing cycle of assessment, action, and documentation keeps risk management efforts aligned with business objectives and regulatory expectations.
Final Words
In sum, a well-thought-out plan of action can help your risk team sail through the toughest of times. The art of Risk Management is neither to over-estimate nor under-estimate the organization’s toleration of risk. Only properly conducted assessments will lead you towards successful endeavors.
As risks continue to evolve, organizations must continually reassess their security structures to stay ahead. To stay on top of new and ever-evolving risks that may arise, you will need all the help you can get to stay on top of your organization’s current security structure.
