Residual risk refers to the risk that remains after implementing controls.

Residual risk is the risk that remains after you apply controls. In risk management, you start with the inherent risk present before safeguards, then implement measures to reduce it. Because controls aren’t perfect and new threats can emerge, some level of risk persists—that’s the residual risk. It can be lowered further with additional controls, changed in scope, or accepted based on risk tolerance. For example, after deploying firewalls and training, there may still be some phishing risk or zero-day vulnerabilities; that remaining risk is the residual risk. The other concepts describe the risk before controls, the overall risk across operations, or risk that is deemed unmitigatable, none of which capture the idea of what remains after controls.