What Is Residual Risk?

April 04, 2025

To implement effective cybersecurity, your organization needs a clear picture of the risks it faces in 2025 and beyond. Some of the leading information security worries for global organizations include ransomware (70%), geopolitical dangers (60%), social engineering attacks (40%), and GenAI-related vulnerabilities (45%). A key part of any organizational risk assessment is understanding what residual risk is and how to minimize it.

What Is the Definition of Residual Risk?

What is residual risk?

Residual risk is the percentage of risk that is left over after you factor in all mitigating activities, security controls, and other risk-reducing actions. In other words, it’s the risk that remains after your business has taken steps to safeguard operations, processes, products, and policies.

What Is Residual Risk in Cybersecurity?

It’s impossible to talk about cybersecurity without involving residual risk — especially as infosec threats become more complex. To protect organizational data and prevent cyberattacks, you need to take defensive measures: risk awareness, antivirus tools, access monitoring, etc. Even after taking these vital steps, some risks usually remain. These potential threats are known as residual risks.

Whether your company processes payment card data or customizes cloud storage solutions, you must have a plan for managing residual risk. The growth of e-commerce in B2B and B2C industries means that virtually all small, medium, and large enterprises must make important decisions around residual cybersecurity risks.  

What Is An Example of a Residual Risk?

It’s easier to understand the definition of residual risk if you think of the effect of seatbelts. There were over 12 million crashes and 5 million car accident injuries in the United States in 2022, leading to losses of nearly $500 billion. When drivers and passengers use seatbelts, the risks of severe or fatal injuries drop drastically — by 60% in the case of trucks and SUVs.

In this example, seatbelts and airbags are excellent tools for risk mitigation. They save lives and prevent devastating outcomes in many crashes.

Unfortunately, seatbelts don’t offer 100% protection against car accident injuries. Some drivers who are bucked up still end up in the hospital or worse as a result of unexpected crashes. Driving an automobile always has residual risks, even with protective systems like seatbelts in place.

An Example of Residual Risk in Cybersecurity

Phishing is a part of residual risk.

To deal with social engineering threats (e.g., phishing and vishing), many organizations implement employee training policies, email filtering frameworks, redirect-prevention security tools, and Single Sign-On programs for logins. These measures can be very effective at protecting your company from cyberattacks, but they’re not foolproof.

Even when your organization follows a risk-oriented compliance framework, bad actors may still find ways to obtain login credentials: old-school pretexting attacks, monetary incentives, third-party vulnerabilities, and compromised websites. How you deal with these residual risks in cybersecurity often depends on the size of your workforce and the compliance requirements you have to meet.

What Is the Difference Between Inherent Risk Vs. Residual Risk?

Whereas residual risk applies to your level of risk after controls and mitigations have been established, inherent risk is the total risk without any controls in place. Inherent risk can come into play in several situations:

  • Evaluating performance: Looking at inherent risk vs. residual risk can show you how effective your controls are at mitigating risks.
  • Comparing costs and benefits: Seeing the steep price tag for non-compliance can help you make smart investments in cybersecurity.
  • Preparing for worst-case scenarios: Inherent risks can apply when employees fail to follow correct practices, not just a lack of security policies.

An in-depth risk assessment should analyze both inherent and residual risks.

How Does Residual Risk Affect Your Organization?

Don’t make the mistake of thinking that residual risk is harmless. Phishing attacks made up the vast majority of cybercrime in 2023, impacting nearly 300,000 individuals in the United States alone.

1. Vulnerabilities

Some of the affected companies may have been lax in their cybersecurity practices, but even high-profile brands have faced embarrassing data breaches and damaging ransomware attacks. Seemingly “acceptable” residual risk can hide critical vulnerabilities that your company isn’t aware of — exactly what cybercriminals are looking for to launch their next attack.

2. Cybersecurity Costs

Another reason it’s important to know what residual risk is in your business revolves around the cost of mitigation efforts. In a perfect world, your business would have endless resources to build impenetrable cybersecurity defenses, but that’s not realistic for many small and mid-sized organizations these days.

Even worldwide brands have limits to how much they can feasibly spend on physical security, cybersecurity professionals (e.g., hiring a CISO), and real-time monitoring. Being realistic, your company must decide what amount of residual risk is acceptable for your circumstances, resources, and goals.

3. ISO Compliance

Calculating and addressing residual risk is part of the mandatory risk assessment framework that any company needs to follow for ISO 27001 compliance. ISO 27001 is a leading cybersecurity standard for U.S. and EU businesses — especially in the finance, software development, and data processing industries.

4. Organizational Priorities

Having a clear picture of your residual risk is helpful when it’s time to make budget decisions for cybersecurity, regulatory compliance, and business operations. Depending on the nature and impact of residual risks, you can quickly identify the most important areas for improvement and the cybersecurity measures that offer the greatest potential return on investment for your company.

How Do You Calculate Residual Risk?

How is residual risk calculated?

There is a residual risk formula that makes it easy to calculate, but you need plenty of organizational data to reach an accurate conclusion. The formula for residual risk is:

Costs of inherent risk – effect of controls = Residual risk

After pinpointing your company’s residual risk, you’re in a position to decide how to respond. There are several options:

  • Create additional controls
  • Accept the current level of risk
  • Streamline risk mitigation actions
  • Pass the risks to a third party, such as with cloud hosting

The one thing you can never afford to do is completely ignore risks — even residual ones.

Identify Residual Risk in Your Organization

It’s not enough to know what residual risk is. To truly safeguard sensitive information, you must know where your most serious vulnerabilities are. Cybersecurity compliance platforms such as Compyl make it easier to identify, evaluate, track, and minimize residual risk. Learn how to create data-driven policies for your risk framework. Contact us for more information today.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies