What does residual risk refer to in risk management?

Residual risk refers to the remaining level of risk that exists after management has implemented risk responses and controls to mitigate identified risks. In risk management, after various strategies—such as risk avoidance, risk transfer, risk mitigation, or risk acceptance—are employed to address the identified risks, not all risk can be completely eliminated. The risks that remain, despite the implemented measures, are termed residual risks.

For instance, even with strong firewalls and intrusion detection systems in place, there may still be some level of risk associated with potential breaches or vulnerabilities that have not been completely addressed. Hence, organizations need to understand and assess this residual risk continuously, as it plays a significant role in their overall risk management strategy and decision-making processes.

Other concepts like total risk or the potential loss associated with risk do not specifically capture the idea of what remains post-implementation of risk controls, and risks that can be avoided entirely would not fall into the category of residual risk, as those would have been managed out entirely.