When a senior manager accepts a level of residual risk that the CAE believes is unacceptable to the organization the CAE should?

What is residual risk and why is it important?

Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.

Residual risk is important for several reasons. First to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied. This means that residual risk is something organizations might need to live with based on choices they've made regarding risk mitigation. Or they could opt to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance company.

Another reason residual risk consideration is important is for compliance and regulatory requirements -- for example, International Organization for Standardization 27001 stipulates this risk calculation. Finally, residual risk is important to calculate for determining the appropriate types of security controls and processes that get priority over time.

Residual risk vs. inherent risk

To calculate residual risk, organizations must understand the difference between inherent risk and residual risk.

Inherent risk is the risk present in any scenario where no attempts at mitigation have been made and no controls or other measures have been applied to reduce the risk from initial levels to levels more acceptable to the organization.

Residual risk, as stated, is the risk remaining after efforts have been made to reduce the inherent risk.

How is residual risk calculated?

Thus, a classic residual risk formula might look something like this:

Residual risk = inherent risk - impact of risk controls

As an example, consider a risk analysis of a ransomware outbreak in a specific business unit. The organization concludes that, in a perfect storm scenario, the inherent risk associated with the outbreak -- i.e., the risk present without any controls or other countermeasures applied or implemented -- could be $5 million.

With new malware detection and prevention controls, as well as an additional emphasis on backups and redundancy, the organization estimates that recovery from ransomware is possible in almost all cases without paying a ransom and waiting for decryption. The cost of all solutions and controls is $3 million.

The residual risk formula would then look like this:

Residual risk = $5 million (inherent risk) - $3 million (impact of risk controls)

In this case, the residual, or leftover, risk is roughly $2 million.

In a more qualitative risk assessment, imagine that the inherent risk score calculated for a new software implementation is 8 out of 10. By putting firewalls and host-based controls in place, among others, the score is reduced to a 3 out of 10. In this scenario, the reduced risk score of 3 represents the residual risk.

How is residual risk managed?

Managing residual risk comes down to the organization's willingness to adjust the acceptable level of risk in any given scenario. For any residual risk present, organizations can do the following:

• Nothing. Assuming the residual risk is below the acceptable level of risk in any endeavor, organizations can simply accept that the implemented controls have proven effective enough to reduce the risk to an acceptable level.
• Update or increase controls implemented. In the case that residual risk is still above an acceptable risk level, new or modified controls and processes may be needed to reduce the inherent risk to a level that is deemed acceptable.
• Evaluate controls vs. mitigation costs to make a decision. In the case where the residual risk is still beyond the acceptable level of risk and the cost of the needed controls and countermeasures is too high, organizations may need to accept the risk, regardless of what residual risk remains.

In general, when addressing residual risk, organizations should follow the following steps:

1. Identify relevant governance, risk and compliance requirements.
2. Determine the strengths and weaknesses of the organization's control framework.
3. Acknowledge existing risks.
4. Define the organization's risk appetite.
5. Identify available options for offsetting unacceptable residual risks.