What does residual risk indicate in a risk assessment?

Residual risk is the amount of risk that remains after you’ve implemented controls. Controls reduce either the likelihood of a threat materializing or the impact if it does, but they rarely eliminate risk entirely due to factors like imperfect effectiveness, changing conditions, and unaddressed gaps. In a risk assessment, you start by identifying and evaluating the initial risk, apply mitigating controls, and then determine the remaining risk to decide if additional actions are needed or if the level is acceptable within the organization’s risk tolerance. This concept isn’t about the original risk before controls, a parameter for randomizing tasks, or the date of the assessment.