Residual risk

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.[1]

One approach to scoring residual risk is to apply subjective judgement without applying any mathematical relationship between the inherent risk and the level of control effectiveness. A second method is to apply a mathematical approach.[2]

The general formula to calculate residual risk is

${\displaystyle {\text{residual risk}}=({\text{inherent risk}})-({\text{impact of risk controls}})}$

where the general concept of risk is (threats × vulnerability) or, alternatively, (severity × probability).

An example of residual risk is given by the use of automotive seat-belts. Installation and use of seat-belts reduces the overall severity and probability of injury in an automotive accident;[3] however, probability of injury remains when in use, that is, a remainder of residual risk.

In the economic context, residual means “the quantity left over at the end of a process; a remainder”[4]

In the property rights model it is the shareholder that holds the residual risk and therefore the residual profit. In some cases the fact of setting both, inherent risk and residual risk can be relevant for an organisation. This is normally discussed during boards meetings where a risk appetite session is taking place [5]