Explain the concept of residual risk.

• A. The level of risk remaining after controls are implemented.
• B. The initial risk before any controls.
• C. The risk eliminated by controls.
• D. The risk that occurs due to external threats only.

Answer: (A)

Residual risk is the risk that remains after you apply controls. After safeguards are put in place to reduce the likelihood or impact of threats, you don’t remove all risk—there’s always some leftover risk due to limitations, evolving threats, human error, and uncontrollable factors. This remaining risk is what you assess to decide whether to strengthen controls, accept it, or transfer it.

Think of it like this: you implement measures such as encryption, access controls, and monitoring to lower the chance and impact of a data breach. Even so, a small level of risk may persist from unexpected exploits or insider threats, which is the residual risk. You compare that residual risk to your organization’s risk tolerance to determine if further mitigation is needed.