Residual Risk: What Constitutes an Acceptable Level of Risk?

January 11, 2019

When it comes to vendor security risk assessments, it can be tempting to just focus on the upfront risks, aka the inherent risk factors. While these factors are extremely important, ignoring or skipping over residual risk can leave gaps in your company’s risk management strategy.

What is Residual Risk and Why is it Important??

On the most basic level, residual risk is the risk that remains in place after security measures and controls have been put into place. You can also think of residual risk as inherent risk that has been covered with a net. Although it’s covered, there are still places where this ‘risk’ can leak through.

For CISOs and those responsible for information security, monitoring and understanding residual risk alongside inherent risk ensures you’re able to confidently and correctly identifying how potential security threats can negatively impact your business. Without fully understanding the entire picture of how your organization is protected (and how your vendors are protected), InfoSec teams can’t make truly informed security decisions.

Additionally, monitoring residual risk is a part of ISO 27001 regulations, which help organizations measure how safe and secure information assets are before, during, and after sharing them with third parties and vendors. In order to fully adhere to these regulations (and for vendors and third parties to legally be able to share data with your company), organizations must have some sort of residual security check alongside inherent security processes.

Evolving your Company’s Risk Standards

Talking about residual vs. inherent risk brings up another topic that is constantly debated among security teams: whether or not there is an ‘acceptable’ level of risk. While some may say that strong companies can whether a certain amount of risk and thus can be a bit more lax with residual risk standards, others think that the only appropriate level of risk is when there is as little risk as possible (a level of zero risk is simply not possible). Finding the ‘sweet spot’ in this conversation for your individual company takes time and understanding.

For most companies, this means creating a constantly evolving and growing outlook on risk standards. This is what many InfoSec and executive teams tend to forget in the ‘always on’ world of vendor risk security. It’s okay to continually be recalculating risk levels and monitoring potential gaps. Measuring risk tolerances doesn’t happen overnight, and, thanks to an increasingly sophisticated web of security threats. Understanding and monitoring residual risk compliance on some level, however, is necessary for companies of all sizes.

Best Practices for Considering Residual Risk

When it comes to scoring and measuring residual risk in terms of inherent risk, there are two main paths to choose from. On one hand, your team can take a more subjective approach and simply justify the leftover residual risk once you take the necessary steps towards security and compliance. On the other hand, you can take methodical, mathematical steps to determine a clear interpretation of residual risk.

To ensure you’re taking the best path for your organization and your third-party partners alike, working with a vendor security response management platform can be a vital arrow in your quiver of tools. Not only will you be able to automate vendor security assessments and easily update and evolve your security over time, but you will also be able to dig in deep on both inherent and residual risk factors to determine compliance standards and next steps. A best-in-class VRM solution like Whistic allows InfoSec teams to stay on top of risk management and ensure 100% compliance for both inherent and residual risk factors.

Want to learn more? Request a Live Demo with a Whistic Product Specialist or check out the resources below for more best practices on the Third Party Risk Management (TPRM) front.


Why Third Party Security is Critically Important

cybersecurity ciso third party vendor management risk

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.