Published on: Jan 12, 2022
Inherent vs. Residual Risk, and How To Manage Them
In recent years, organizations have spent a tremendous amount of effort shifting to the cloud, enhancing their digital infrastructures, and improving data accessibility. The pandemic accelerated the transition to remote work, increasing reliance on cloud data storage, 60% of all corporate data stored in the cloud, as of 2023. However, this shift has exposed organizations to new threats and magnified existing inherent risks and residual risks. Confidential data, once securely confined within company premises, is now stored online through cloud computing providers and accessible to employees working remotely. This raises a critical question: could this confidential data also be accessible to cybercriminals?
This new era of remote work comes with its own set of risks. Risk, in general, can be defined as a situation involving exposure to danger. Risk is inherent in nature. Risk is an innate part of life, and we make decisions in each moment of each day to avoid risks and remain safe. When walking across the street we look both ways, we put on a seat belt when we get in the car, we are aware of hot coffee when a child comes near – risks are all around us, and avoiding them is second nature.
What we are not as accustomed to in daily life is avoiding risks online. According to recent studies, a cybercrime takes place every 39 seconds, with ever-evolving tricks and techniques. These numbers suggest that the risks an organization faces at any point in time are also evolving.
Organizations can categorize these risks into two main types: Inherent Risk and Residual Risk.
What Is Inherent Risk?
The simplest and most widely used definition of inherent risk is risk without any applied security controls. For example, imagine a retail organization that has never trained its employees against social engineering attacks. If a social engineering attack happens in this scenario, it will be due to the inherent risk that exists because of a lack of proper training. The possibilities of risks are endless in the absence of appropriate security controls.
The good news is that inherent risks are avoidable!
Most of the risk can be mitigated by applying appropriate security controls. The survival and safety of your organization depend upon the information security measures it takes. The inherent risk is the foundation on which an organization designs its security policies and procedures. It must be assessed correctly to ensure the security of private information.
In the previously discussed scenario, you can mitigate the risk by carrying out annual awareness training for your employees. Another way to protect against the risk of social engineering attacks would be to train employees how to protect themselves during the onboarding process of new recruits.
That's it? That is doable!
If only that was the end of the story. Unfortunately, protecting ourselves against risks will not make us risk-proof. There is another type of risk that you should be aware of which is a tad bit more stubborn than the former. That is the Residual Risk.
What Is Residual Risk?
Residual risk is defined as the leftover risk after the mitigating controls have been applied to minimize the inherent risk. It can be calculated using the following formula:
Residual Risk = Inherent Risk – Impact of applied controls
Mitigating risks completely is challenging. For example, wearing a seatbelt mitigates the inherent risk associated with vehicular transportation, but it does not entirely eliminate the possibility of injury in an accident—this is the residual risk.
Residual risk is what remains after risk treatment has been carried out. Depending on the likelihood and impact of this risk, an organization may choose to treat, avoid, transfer, or accept it. For example, even if a company conducts regular phishing awareness training for its employees, residual risk persists. An employee might miss the training, not pay attention, or inadvertently fall victim to an attack.
The first step in the risk management process is to assess and identify all existing inherent risks to your business. Once identified, these risks should be categorized based on their impact on the business, and unacceptable risks should be treated by applying controls. The remaining risk after this process is the residual risk.
Quantitative and Qualitative Examples of Residual Risk Calculation
To truly understand residual risk, it helps to see how organizations actually calculate it—both with numbers and broader assessments.
Quantitative Example
Imagine a financial institution assessing the potential impact of a ransomware attack. The risk team estimates that, without any defenses in place, the total loss could reach $5 million. The organization then invests in advanced anti-malware tools, regular system backups, and employee training, reducing the projected potential loss by $3 million.
The math is simple:
Original (Inherent) Risk: $5 million
Impact of Controls: $3 million
So, the residual risk would be:
Residual Risk = Inherent Risk – Impact of Controls
Residual Risk = $5 million – $3 million = $2 million
Even after investing in controls, the company faces a remaining potential loss of $2 million—this is the risk that simply cannot be erased.
Qualitative Example
Let’s look at a less numbers-heavy scenario. Say a healthcare provider is implementing a new electronic records system. Their initial risk assessment gives this project an inherent risk score of 8 out of 10, considering patient data sensitivity and regulatory requirements.
After adding multi-factor authentication, running regular security audits, and providing refresher training to staff, the team reassesses the risk and gives it a 3 out of 10. That new score—3—represents the residual risk still present after all those efforts. It’s lower, but not zero.
Whether dealing with dollars or risk scores, the key takeaway is the same: even the best controls leave some measure of risk that must be acknowledged and managed.
Real-World Examples of Residual Risk
No matter how many controls are in place, residual risk lingers across all industries, each facing its own flavor of the unexpected. Here’s a look at how this plays out in real scenarios:
Banking: Even with firewalls, multi-factor authentication, and the latest encryption from trusted providers like Symantec and Cisco, banks remain potential targets for clever cyber attackers who continuously invent new ways to breach defenses. Think of it as locking all your doors and windows, but recognizing that a determined burglar might still break in.
Healthcare: Hospitals go above and beyond to prevent infections with antibacterial protocols, isolation procedures, including the whole nine yards. Yet, antibiotic-resistant bacteria can still rear their ugly heads, posing hazards even in the most sanitized wards.
Manufacturing: Automated safety systems, physical guards on machinery, and regular drills all make factory floors safer. However, accidents can still occur, whether due to an unexpected machine malfunction or simple human error.
Supply Chain: Organizations rely on well-honed logistics, diversified suppliers, and contingency plans, yet there’s always the wildcard: hurricanes, global pandemics, or geopolitical conflicts. These can derail the most carefully orchestrated supply chain overnight.
Construction: From required hard hats to routine safety inspections and rigorous engineering checks, the construction industry doesn’t cut corners on safety. Even so, surprises like severe weather or hidden structural issues can introduce risks no checklist could have flagged.
No matter the sector, residual risk serves as a reminder that perfect security is a myth. What matters is knowing what risks remain and having a plan for when the unexpected happens.
Third-Party Risk: Inherent and Residual Realities
When it comes to third-party risk management, inherent and residual risk go hand-in-hand. Any vendor with access to your organization’s sensitive data or systems introduces a baseline level of risk before you even implement a single safeguard. This is the inherent risk. For instance, a law firm sharing files with a cloud storage provider faces risks tied to that provider’s own security practices and compliance history, regardless of the law firm’s internal controls.
What you do next matters just as much. Conducting in-depth vendor risk assessments, requiring security certifications from industry leaders like ISO or SOC 2, and integrating regular compliance checks, these controls can seriously reduce the dangers posed by working with outside parties. However, just as in banking or healthcare, no amount of paperwork, encryption, or procedural rigor erases all risk. Once your due diligence and vendor controls are in place, the vulnerabilities that still hang around make up your residual risk.
The challenge? Many businesses struggle to keep up with ongoing assessments, especially when managing dozens (or even hundreds) of third-party providers. Even with gold-standard processes and tech in place, there’s always the chance that a vendor’s security oversight could ripple into your own operations. Third-party relationships, then, are never a “set and forget” proposition. Recognizing both the inherent and residual risks is key to maintaining a resilient, adaptive risk management program that keeps your defenses sharp, no matter who you do business with.
Why is Residual Risk Important?
ISO-27001 mandates residual risk mitigation as a cri tical component of the risk management process. For compliance, organizations must monitor their residual risks, which help the security and audit teams determine whether the applied treatment plans are effective. The best practice is to set a threshold for risk appetite, which defines the acceptable level of risk that the organization can bear without affecting business operations. The goal is to keep the residual risk within this threshold.
Risk management is an ongoing cycle. It begins with identifying inherent risks, which are then mitigated through control measures. The resulting residual risk is assessed to determine if it falls below the acceptable threshold.
If not, the cycle repeats until the risk is brought within acceptable levels. The concept of inherent risk, along with control risk and detection risk, plays a crucial role in this process. Financial reporting, internal controls, and audit procedures are essential in maintaining this balance.
Risk Management Outcomes
Identifying residual risk is not enough, one must have a plan to address all the possible outcomes of this complex process. A strategic roadmap to risk management is a document that lists key elements of the risk management process, the possible outcomes of which can be categorized as:
Risk Tolerance: Organizations must determine their level of risk tolerance, below which all risks are considered acceptable. Accurate assessment of inherent risk factors is key to effective risk management.
No Action Required: If the residual risk is below the risk tolerance threshold, no further action is needed.
Additional Mitigation Techniques: Often, residual risk will exceed the risk tolerance threshold, requiring additional controls. This involves reassessing inherent risk and devising a new treatment plan. In practice, organizations have several options when faced with residual risk: Take No Further Action, Enhance or Update Controls, and Weigh Cost vs. Benefit. This structured approach ensures that every residual risk is thoughtfully considered, balancing risk reduction with organizational priorities and resources.
Re-evaluation of Risk: Risk management is iterative. Each time residual risk exceeds the acceptable threshold, reassessment is needed to determine the effectiveness of the applied controls.
Cost Analysis: When residual risk cannot be reduced below a certain point, a cost analysis is necessary to determine if the cost of further controls outweighs the potential impact of the risk.
Documentation and Reports: Documenting all risk management activities and outcomes is crucial for compliance and audit purposes.
What Is a Risk Register and How Do You Build One to Address Residual Risk?
A risk register is a living document (often a spreadsheet or part of a GRC platform) that brings together all known risks—both inherent and residual—alongside the controls you've put in place and what’s still left to manage. Think of it as a detailed logbook for your journey through risk management waters. Beyond simply categorizing outcomes, organizations should take a methodical approach to managing residual risk.
To build a solid risk register, follow these steps:
List All Identified Risks: Start by recording every risk uncovered during your assessment process. No hiding under the proverbial rug—if it’s a risk, it goes on the list.
Categorize Each Risk: Note whether the risk is inherent (present before controls) or residual (remaining after controls). For added clarity, consider grouping risks by department or business process.
Describe the Potential Impact and Likelihood: For each entry, estimate how likely it is to occur and how severe the fallout could be. This is where frameworks from ISO and NIST can help standardize your approach.
Document Existing Controls: Capture all the defenses you have in play—be it technology, processes, or policies like those from the CIS Controls.
Assign Risk Owners: Designate a responsible party for monitoring and addressing each risk. This builds accountability and ensures nothing falls through the cracks.
Keep It Up to Date: A risk register is only as good as its most recent entry. Regular reviews and updates—prompted by audits, incidents, or organizational changes—are essential.
Building and maintaining a risk register lets teams quickly spot where they’re most vulnerable and decide where to focus their next security investment. By incorporating these practices, organizations ensure their approach to residual risk is both structured and adaptable. This ongoing cycle of assessment, action, and documentation keeps risk management efforts aligned with business objectives and regulatory expectations. From there organizations can build a risk register for
Final Words
In sum, a well-thought-out plan of action can help your risk team sail through the toughest of times. The art of Risk Management is neither to over-estimate nor under-estimate the organization’s toleration of risk. Only properly conducted assessments will lead you towards successful endeavors.
As risks continue to evolve, organizations must continually reassess their security structures to stay ahead. To stay on top of new and ever-evolving risks that may arise, you will need all the help you can get to stay on top of your organization’s current security structure.
