In Q1 of 2023 alone, 6,382,619 records were exposed in the healthcare industry. While there will always be inherent risk any time you enter into a new relationship with a vendor and their products, you can’t ignore or skip over the residual risk. Failure to acknowledge and account for such inherent risks could potentially jeopardize your organization.

What is Residual Risk?

In the world of IT and network security, we often discuss risk management in buckets or categories.

The first bucket is called inherent risk. This is the risk a business faces if nothing is done. It’s the natural state of risk that exists before any sort of risk reduction effects or controls are put into place. Using the analogy of a house, inherent risk is the risk that a burglar will enter your home without any door locks, alarm systems or security cameras. 

The second bucket is called residual risk. This is the risk that your business faces after implementing the proper security protocol, systems and defenses. Using the same analogy, residual risk is the risk that a homeowner faces after taking the time to install locks, set up an alarm system, install security cameras, etc.

The controls an organization implements should determine the acceptable levels for both inherent risk and residual risk.

What Does Residual Risk Mean in the Risk Management Process?

Residual risk in the risk management process is the residual risk remaining after an organization’s attempt to mitigate or remediate that risk. For example, even after implementing an email security service to detect spam and phishing attacks, your organization continues to receive phishing emails. Or despite giving employees granular permission control to documents and files, an insider is able to steal important information about your technology.

In the world of IT and network security, we often discuss risk management in buckets or categories.

Inherent Risk vs Residual Risk

Most business owners and IT professionals are acutely aware of inherent risk. After all, it’s pretty easy to understand the challenges that exist if nothing is done. However, residual risk often flies under the radar. As a result, most businesses have blind spots that leave them vulnerable to being compromised by either internal or external threats. 

For CIOs, CISOs and business owners, monitoring and understanding residual risk ensures there are no blind spots or loopholes. It helps you identify potential security threats that could negatively impact your business in the future. This helps paint a comprehensive picture of your information security status. 

Furthermore, monitoring residual risk is a key element of ISO 27001, an international standard that helps you measure how safe and secure different information assets are prior to, during and after sharing with third parties. If you want to fully comply with these regulations, you must have a residual security check in place (in addition to inherent security strategies and ongoing monitoring).

How to Calculate Residual Risk in Your Business

There are numerous ways to calculate residual risk. And by the very nature of the risk, it’s impossible to perfectly quantify it. The best you can do is implement a logical and consistent framework that enables you to track risk over time. In turn, this empowers you to respond with swift and appropriate action when called to do so. 

5 Steps to Calculating Residual Risk

Here’s a five-step approach that you can tailor to your organization’s needs:

  1. Identify Risk Factors

The first step is to identify any residual risk factors that may exist. Feel free to add anything you feel may be relevant in this step. You can always filter things out later, but it’s hard to come back and add in new risk factors after the fact. 

  1. Assign Likelihood

Once you have a list of risk factors, assign scores that suggest the likelihood of the event happening. Depending on your desired specificity, you can use a three-point, five-point or even a 10-point scale. The exact scale you use is less important than the consistency. In other words, it’s more important that you assign the correct values to each risk factor.

  1. Assign Impact

The next step is to assign an impact score. This is the level of impact the event would have on your business if it came true. For the sake of simplicity, use the same scale as before. (If you used a three-point likelihood scale where one means low likelihood and three means high likelihood, you should use the same type of rolling scale for assigning impact.)

  1. Calculate Risk Score

This is the easiest step of all. Create a chart and calculate the risk score based on the likelihood and impact values you assigned in steps two and three. This is done with simple multiplication.

If the likelihood of Risk X occurring is a three and the potential impact is a two, that leaves you with a score of six. (3 x 2 = 6) Do this for every risk factor identified in step one and you’ll have a clear picture of which risks are most likely to negatively impact your business moving forward. 

  1. Respond Appropriately

Finally, based on the risk scores, you can strategically allocate your time and money to strengthen security and compliance in specific areas of your business. You’ll want to focus on the residual risks with the highest scores first, while developing some sort of filter so that you aren’t wasting resources on low risk factors.

How to Manage Residual Risk

Organizations should develop a risk management plan to manage residual risk. Risk management programs evaluate their risk by determining two important factors:

  1. Risk appetite. The amount of risk an organization is willing to take to achieve its business goals.
  2. Risk tolerance. How willing an organization is to deviate from its risk appetite.

Both an organization’s risk appetite and risk tolerance can vary depending on its specific action and objectives.

Proactive Tips for Lowering Residual Risk

When considering residual risk factors, you have a few different options on how to proceed.

Possibilities include:

  • Acceptance. The first option is to simply accept the risk and move on. In other words, you take your chances that (a) it won’t happen or, (b) the consequences won’t be severe.
  • Reduction. The second option is to reduce the risk level so that it becomes much more manageable. This could look like implementing a security solution that takes the risk level from an impact score of three to an impact score of one. In this case, it becomes something that you can accept without losing sleep at night. 
  • Avoidance. If you’re unable to accept or reduce the risk, then you can look for ways to avoid the risk. In this case, you reduce the likelihood factor. In turn, you lower the risk score so that it’s tolerable. 
  • Sharing. Finally, you may have the option of sharing the risk. This usually plays out like purchasing some sort of cybersecurity insurance policy that lowers the impact score and offloads most of the financial consequences to a third party. 

At the end of the day, it’s up to you the project manager and your team to make calculated decisions on how to proceed. But if you’ve done a thorough job with residual risk analysis, your responses should be fairly straightforward.

How Panorays Can Help

Panorays offers an automated, comprehensive and easy-to-use third-party security platform that manages the whole process from inherent to residual risk, remediation and ongoing monitoring.  

For more information or to see an example of how it works, please request a demo today!


How can you identify residual risk?

Residual risk is the risk in your organization after all security processes, protocols and defense systems have been implemented. You can calculate residual risk with the traditional residual risk formula: Residual risk = Inherent risk – Impact of risk controls.

What is meant by residual risk?

Residual risk is the risk that remains after all the possible security measures are put into place in an organization. For example, if you put on a seatbelt to prevent being injured in the event of an automobile accident, the residual risk is the risk of becoming injured even though you’ve worn your seatbelt.

What is the difference between inherent risk and residual risk?

Inherent risk is the natural level of risk that exists in your organization without implementing any security controls. Residual risk is the risk your organization faces after putting these security controls in place.

What is a residual risk calculation?

A residual risk calculation can be determined by subtracting the impact of risk controls from the inherent risk. For example, if the inherent risk is scored as a 3 and the impact of risk controls is 2, your residual risk is 1.