Residual risk is the threat or vulnerability that remains after all risk treatment and remediation efforts have been implemented. Even with an astute vulnerability sanitation program, there will always be vestiges of risks that remain, these are residual risks.

Because they will always be present, the process of managing residual risk involves setting an acceptable threshold and then implementing programs and solutions to mitigate all risks below that threshold.

To learn how to identify and control the residual risks across your digital surfaces, read on.

Why is Residual Risk Important?

Residual risk is important because its mitigation is a mandatory requirement of ISO 27001 regulations. This is a popular information security standard within the ISO/IEC 2700 family of best security practices that helps organizations quantify the safety of assets before and after sharing them with vendors.

To be compliant with ISO 27001, organizations must complete a residual security check in addition to inherent security processes, before sharing data with any vendors.

But in 2021, residual risk has attained an even higher degree of importance since President Biden signed the Cybersecurity Executive Order. Now organizations are expected to significantly reduce residual risks throughout their supply chain to limit the impact of third-party breaches by nation-state threat actors.

To meet the strict compliance expectation of ISO/IEC 27001 and Biden's Executive order, organizations must combine attack surface monitoring solutions with residual risk assessment.

What's the Difference Between Inherent Risk and Residual Risk?

Inherent risk is the amount of risk within an IT ecosystem in the absence of controls and residual risk is the amount of risk that exists after cybersecurity controls have been implemented.

Inherent risk assessments help information security teams and CISOS establish a requirements framework for the design of necessary security controls. Beyond this high-level evaluation, inherent risk assessments have little value. The real value comes from residual risk assessments that help identify and remediate exposures before they're exploited by cybercriminals.

Inherent risk vs residual risk

Inherent vs. Residual Risk Assessments

The primary difference between inherent and residual risk assessments is that the latter takes into account the influence of controls and other mitigation solutions. As expected, the likelihood of an incident occurring in an a

The following definitions are important for each assessment program.

Inherent likelihood - The probability of an incident occurring in an environment with no security controls in place.

Inherent impact - The impact of an incident on an environment without security controls in place.

Residual likelihood - The probability of an incident occurring in an environment with security controls in place.

Residual Impact –  The impact of an incident on an environment with security controls in place.

When effective security controls are implemented, there is an obvious discrepancy between inherent and residual risk assessments. These results are not enough to verify compliance and should always be validated with an independent internal audit.

The longer the trajectory between inherent and residual risks, the greater the dependency, and therefore effectiveness, on established internal controls.

Learn more about residual risk assessments

How to Calculate Residual Risk

Before a risk management plan can be designed, you need to quantify all of the residual risks unique to your digital landscape. This will help define the specific requirement for your management plan and also allow you to measure the success of your mitigation efforts.

Quantifying residual risks within an ecosystem is a highly complex calculation. At a high level, the formula is as follows:

Residual risk = Inherent risks - impact of risk controls.

Residual risks can also be assessed relative to risk tolerance (or risk appetite) to evaluate the effectiveness of recovery plans. This will enforce an audit of all implemented security controls and identify any lapses permitting excessive inherent risks. With such invaluable analytics, security teams can conduct targeted remediation campaigns, supporting the efficient distribution of internal resources.

Learn how to calculate the risk appetite for your Third-Party Risk Management program.

Because the modern attack surface keeps expanding and creating additional risk variables, this calculation is better entrusted to intelligent solutions to ensure accuracy. However, to achieve a preliminary evaluation of your residual risk profile, the following calculation process can be followed.

Step 1: Calculate Your Inherent Risk Factor

Calculate RTOs for critical business units

The inherent risk factor is a function of Recovery Time Objectives (RTO) for critical processes - those that have the lowest RTOs. This requires the RTOs for each business unit to be calculated first.

Learn how to calculate Recovery Time Objectives

Calculate the Potential Impact of Each RTO Category

After the RTO of each business unit is calculated, this list should be ordered by level of potential business impact. Lower RTOs have a higher level of criticality and will, therefore, have the greatest negative impact on an organization,

Each RTO should be assigned a business impact score as follows:

  • 1 = Insignificant Impact
  • 2 = Minimal Impact
  • 3 = Moderate Impact
  • 4 = Critical Impact
  • 5 = Catastrophic Impact

For example:

If business unit A is comprised of processes 1, 2, and 3 that have RTOs of 12 hrs, 24 hrs, and 36 hours respectfully; a business recovery plan should only be evaluated for process 1. This is because process 1 has the lowest RTO, making it the most critical business process in its business unit category.

Because business unit A has an RTO of 12 hours or less, it would be classified as a highly critical process and so should be assigned an impact score of 4 or 5.

Assign a Threat Level Score to the Business Unit

The cyber threat landscape of each business unit will then need to be mapped. To ensure the accurate detection of vulnerabilities, this should be done with an attack surface monitoring solution.

A threat level score should then be assigned to each unit based on vulnerability count and the risk of exploitation.

The threat level scoring system is as follows:

  • 1 = Low
  • 2 = Minimal
  • 3 = Moderate
  • 4 = High
  • 5 = Critical

Estimate the Inherent Risk Factor of the Business Unit

An estimate of inherent risk can be calculated with the following formula:

Inherent risk = [ (Business Impact Score) x (Threat Landscape score) ] / 5

The resulting inherent risk score will be between 2.0 and 5.0 and can then be classified as follows:

  • Between 2 and 3 = Low inherent risk
  • Between 3 and 3.9 = Moderate inherent risk
  • Between 4 and 5 - High inherent risk

Step 2: Identify Acceptable Levels of Risk

The levels of acceptable risks depend on the regulatory compliance requirements of each organization. At a high level, all acceptable risks should have minimal impact on revenue, business objectives, service delivery, and attack surface management.

How to Define Acceptable Levels of Risk

Acceptable risks need to be defined for each individual asset. This can become an overwhelming prerequisite with a comprehensive asset inventory. The following acceptable risk analysis framework will help distribute the effort and speed up the process.

This can be achieved with the  following acceptable risk analysis framework:

  • Identify all assets with digital footprint mapping.
  • Assign each asset, or group of assets, to an owner.
  • Identify each asset's current and potential vulnerabilities.
  • Quantity the likelihood of these vulnerabilities being exploited
  • Quantify each asset's risk using the following formula:

    Risk = Likelihood x Impact


    - Likelihood is a function of vulnerabilities, exposure, and threats.
    - Impact is a function of business criticality.

The acceptable levels of risk should be defined as a percentage where:

  • If the inherent risk factor is less than 3 = 20% acceptable risk (high-risk tolerance).
  • If the inherent risk factor is between 3 and 3.9 = 15% acceptable risk (moderate-risk tolerance).
  • An inherent risk factor between 4 and 5 = 10% (low-risk tolerance).

The lower the percentage, the more severe the cybersecurity risk control requirements are. And the better the risk controls, the higher the chances of recovery after a cyberattack.

The maximum risk tolerance can be calculated with the following formula:

Maximum risk tolerance = Inherent risk tolerance percentage x Inherent risk factor

And the final risk tolerance threshold is calculated as follows:

Risk tolerance threshold = Inherent risk factor - maximum risk tolerance.

For example:

With an inherent risk factor of 3, the corresponding inherent risk tolerance is 15%. The maximum risk tolerance is:

3 x 15% = 0.45.

The risk tolerance threshold then becomes:

3 - 0.45 = 2.55.

This means, for mitigating controls to be within tolerance, their capabilities must add up to 2.55 or higher.

The cost of mitigating these risks is greater than the impact to the business.

Even with solutions in place, new residual risks will keep popping above the threshold, such as the risk of new data leaks.

The mitigation of these risks requires a dynamic whack-a-mole style of management - rapidly identifying new risks breaching the threshold and pushing them back down with appropriate remediation responses. The goal is to keep all residual risks beneath the acceptable risk threshold for as long as possible.

Step 3: Assign Weights for all Mitigating Controls

All controls that protect a recovery plan should be assigned a weight based on importance. The most critical controls are usually:

  • The recovery strategy - Also known as the Incident Response Plan.
  • Recovery exercises - The level of experience in testing the recovery strategy

Other common controls include:

Now assign a weighted score for each mitigation control based on your Business Impact Analysis (BIA).

Add the weighted scores for each mitigating control to determine your overall mitigating control state

Step 4: Calculate your residual risk.

To complete the residual risk formula, compare your overall mitigating control state number to your risk tolerance threshold.

You are within tolerance range if your mitigating control state number is equal to, or higher than, the risk tolerance threshold.

You are outside of your tolerance range if your mitigating control state number is lower than the risk tolerance threshold.

The lower the result, the more effort is required to improve your business recovery plan. Conversely, the higher the result the more effective your recovery plan is.

FAQ about Residual Risk

What Does Residual Risk Mean?

Residual risks are all of the risks that remain after inherent have been reduced with security controls.

What are Some Residual Risk Examples?

Residual risk examples include:

What is Residual Risk in Banking?

Examples of residual risk in banking include:

  • The inability to clear a debt
  • The risk of a loan applicant losing their job
  • The risk of asset liquidation

What are the Factors that Contribute to Residual Risk?

Residual risks could be cause by ineffective security controls or by the security controls themselves - these are known as secondary risks.

Ready to see
UpGuard in action?