residual riskResidual Risk is the risk or vulnerability that remains after all remediation and risk treatment efforts have been completed.

Even with a well-planned vulnerability sanitation program, there will always be residual risks.

They will always be there, so managing residual risk requires setting a threshold and then implementing programs to reduce all risks below it.

Continue reading to learn how you can identify and manage residual risks on your digital surfaces.

Why is Residual risk so important in 2021?

Because ISO 27001 regulations make it a mandatory requirement, reducing residual risk is crucial. This information security standard is part of the ISO/IEC 2700 family. It helps organizations to quantify the safety and security of assets before and during sharing with vendors.

Before sharing any data with vendors, organizations must pass a residual security screening in order to be compliant with ISO 27001.

Since President Biden signed Cybersecurity Executive Order in 2021, residual risks have been given an increased importance. Organizations are now expected to reduce residual risk throughout their supply chains to limit the impact on third-party breaches by threat actors from nation-states.

Organizations must use both attack surface monitoring solutions and residual risk assessment to meet the strict compliance requirements of ISO/IEC 27001, as well as Biden’s Executive Order.

What is the difference between Inherent Risk & Residual risk?

Inherent risk refers to the risk inherent in an IT ecosystem if there are no controls. Residual risk refers to the risk that remains after cybersecurity controls have been put in place.

Information security teams and CISOS can use inherent risk assessments to help them establish a framework for designing security controls. Inherent risk assessments are not useful beyond this high-level evaluation. Residual risk assessments are the most valuable, as they help to identify and remedy exposures before they can be exploited by cybercriminals.

Inherent vs. Residual risk Assessments

The main difference between residual and inherent risk assessments is the fact that the former takes into consideration the impact of controls and other mitigation options. The likelihood of an incident happening in a

is as expected. These definitions are essential for every assessment program.

Inherent possibility – A probability that an incident will occur in an environment without security controls.

Inherent Impact – An incident that has an inevitable impact on an environment with no security measures.

Residual possibility – The likelihood of an incident happening in an environment that has security controls in place.

Residual Impact is the impact of an incident in an environment that has security controls in place.

Effective security practices controls can make it difficult to distinguish between residual and inherent risk assessments. These results do not suffice to prove compliance. They should be verified with an independent audit.

The greater the dependence and effectiveness on existing internal controls, the longer the path between inherent and residual risk.

Learn more about residual risks assessments

How to Calculate Residual risk

Before you can create a risk management strategy, it is necessary to determine all residual risks that are unique to your digital environment. This will allow you to define your specific requirements and measure the effectiveness of your mitigation efforts.

It is difficult to calculate the residual risk within an ecosystem. The formula works at a high level as follows:

Residual risk = Inherent risk – Impact of risk controls.

To evaluate the effectiveness and efficiency of recovery plans, residual risks can be compared to risk tolerance or risk appetite. This will force an audit of all security controls in place and reveal any deficiencies that could lead to excessive inherent risks. This valuable analytics allows security teams to conduct targeted remediation campaigns and support efficient allocation of internal resources.

This calculation should be left to intelligent solutions in order to guarantee accuracy, as the modern attack surface is constantly expanding. The following process is used to calculate your residual risk profile.

Step 1: Calculate your inherent risk factor.

Calculate RTOs of critical business units

The Recovery Time Objectives for Critical Processes (RTOs) is what determines the inherent risk factor. These are those with the lowest RTOs. This means that each business unit’s RTO must be calculated first.

Learn how to calculate Recovery Time Objectives. Calculate the Potential Impact for Each RTO Category

This list should be sorted by potential business impact after the RTO for each business unit has been calculated. RTOs with lower criticality have a greater impact on organizations and are therefore more damaging

The following business impact score should be assigned to each RTO:

1 = Insignificant Impact

2 = Very Little Impact

3 = Moderate Impact.

4 = Critical Impact

5 = Catastrophic Effect


If A business unit is composed of processes 1, 2, 3 and 4 with RTOs of 12, 24 and 36 hours, respectively, a business recovery plan should be only evaluated for process 1. This is because process 1, which has the lowest RTO and is the most important business process within its business unit category, has the highest RTO.

Business unit A’s RTO is less than 12 hours. This would make it a highly critical process, and should receive an impact score of 4 to 5.

Assign a Threat Score to the Business Unit

It is then necessary to map the threat landscape for each business unit. An attack surface monitoring solution is required to ensure that vulnerabilities are detected accurately.

Each unit should be given a threat score based on its vulnerability and potential for exploitation.

The threat level scoring system works as follows: 1 = Low

2 = Minimum

3 = Moderate,

4 = Very High

5 = Critical

Calculate the Inherent risk factor of the Business Unit

The following formula can be used to calculate the inherent risk:

Inherent risk = [(Business Impact Score) + (Threat Landscape score] / 5

The resultant inherent risk score will range from 2.0 to 5.0. It can then be classified as:

Between 2 and 3, which is the lowest level of inherent risk

Between 3 and 3.9 = Moderate inherent danger

Between 4 and 5, – High inherent danger

Step 2: Identify acceptable levels of risk

Each organization’s regulatory compliance requirements will determine the acceptable risk levels. All acceptable risks must have minimal impact on revenue, business objectives and service delivery.

How to define acceptable levels of risk

Each asset must be identified as having acceptable risks. A comprehensive inventory of assets can make this a daunting task. This acceptable risk analysis framework will help to distribute the effort and speed up this process.

The acceptable risk analysis framework can help you achieve this. All assets should be identified using digital footprint mapping. Each asset or group of assets should be assigned to a owner. Identify the assets’ current and possible vulnerabilities. Quantify the probability of these vulnerabilities being exploited. The following formula can be used to calculate the risk of each asset:

Risk = Likelihood x Impact

Where: – The probability of a vulnerability, exposure, or threat is what we call the likelihood.

– Business criticality is the key to impact.

The acceptable level of risk should be expressed as a percentage. Acceptable risk = 20% if the inherent risk factor is lower than 3.

The inherent risk factor should be between 3 and 3.0 = 15% acceptable risk (moderate risk tolerance).

A range between 4 and 5 is considered an inherent risk factor. This equals 10% (low-risk tolerance).

The higher the percentage, the more stringent the cybersecurity risk management requirements. The higher the level of cybersecurity risk control, the greater the chance of recovering from a cyberattack.

This formula calculates the maximum risk tolerance:

Maximum risk tolerance = Inherent tolerance percentage x Inherent danger factor

The final risk tolerance threshold can be calculated as follows: Risk tolerance threshold = Inherent danger factor – Maximum risk tolerance.


The corresponding inherent tolerance for risk is 15% with an inherent risk factor 3 The maximum tolerance for risk is

3 x 15% = 0.45

The risk tolerance threshold is now:

3.45 – 0.45 = 2.55.

To be considered as mitigating controls, they must have a combined capability of 2.55 or more.

These risks are more costly than their business-related consequences.

Even with the best solutions, there will always be new risks that go beyond the threshold. For example, the risk of data leakage.

These risks can be mitigated by a dynamic, whack-amole management style. This involves quickly identifying new risks that exceed the threshold and pushing them down with appropriate remediation actions. It is important to keep residual risks below the acceptable risk threshold as long as possible.

Step 3: Assign Weights to All Mitigating Controls.

All controls that help to protect a recovery plan need to be given a weight according importance. The most important controls are:

Recovery strategy – Also called the Incident Response Plan.

Recovery exercises – The amount of experience required to test the recovery strategy

Other controls that are common include: Training and awareness for cyber incidents

Third-party risk analysis

Data leak detection and remediation.

Based on your Business Impact Analysis, (BIA), assign a weighted score to each mitigation control.

To determine your overall mitigating state, add the weighted scores of each control.

Step 4: Calculate your residual risk.

Completing the residual risk formula requires you to compare your overall mitigating state number with your risk tolerance threshold.

If your mitigating state number is equal or greater than the threshold for risk tolerance, you are considered to be within the tolerance range.

If your mitigating state number is less than your risk tolerance threshold, you are considered to be outside your tolerance range.

A lower result means that it will take more work to improve your business’s recovery plan. The reverse is true: the better your recovery plan, the greater the results.

Call SpartanTec, Inc. now if you need more information about residual risk and managed IT services.

SpartanTec, Inc.
Charleston, SC 29407

Serving: Myrtle Beach, North Myrtle Beach, Columbia, Wilmington, Fayetteville, Florence