What is Residual Risk?

Residual risk is the remaining amount of loss exposure to which a business is subjected after all other risks have been eliminated or offset through the application of risk management techniques. The organization owns this residual risk, since it cannot shift it elsewhere, mitigate it through process changes, or offload it with insurance purchases. Some residual risk only arises through unforeseen circumstances, and so a firm's managers do not know that it exists.

How to Manage Residual Risk

There are several ways to manage residual risk. For example, an organization might choose to remain in a certain line of business despite the presence of substantial residual risk, because the profits to be generated are so high. However, a situation in which there are low profits or none at all to offset residual risk presents an argument that the organization should exit that line of business, since it will eventually suffer losses from the residual risk, resulting in net long-term losses.

Inherent Risk vs. Residual Risk

Inherent risk is the level of risk present before any controls or mitigation measures are applied, while inherent risk is the level of risk remaining after controls, mitigation, or risk management measures have been applied. This gives rise to the following differences between the two concepts:

Focus. Inherent risk evaluates the raw or unmitigated risk of a process, activity, or situation, while residual risk evaluates the effectiveness of controls by determining which risks still persist.
Control influence. Inherent risk assumes no controls or measures are in place, while residual risk accounts for existing controls or risk-reduction measures.
Risk level. Inherent risk represents the worst-case scenario, and so represents the highest possible risk, while residual risk is substantially lower.
Purpose. Inherent risk helps identify and understand the baseline level of risk to prioritize areas requiring controls, while residual risk helps to assess the effectiveness of implemented risk controls and determine if additional actions are needed.
Application. Inherent risk is used during an initial risk assessment, while residual risk is analyzed in ongoing risk management to monitor and adjust strategies as necessary.