Skip to content
Go to homepageDrova logo

Residual risk explained

Measure what remains after controls.

Understand residual risk, how to calculate it, and how to use it in decision-making and reporting.

Illustration of collaborative compliance planning

What this guide covers:

  1. 01
    What is residual risk?
  2. 02
    Why residual risk matters
  3. 03
    How to calculate residual risk
  4. 04
    Monitor thresholds and action
  5. 05
    Residual risk FAQs

What is residual risk?

Residual risk is the level of exposure that remains after controls and treatments have been applied to an inherent risk.

Gap

Residual = inherent risk minus control impact.

Score
Rating

Use numerical or heatmap scoring to show what remains.

Action

Residual risk informs whether more treatment is required.

WHY IT MATTERS

Why residual risk guides decisions

Shows true exposure. Boards care about what remains, not just what was planned.

Supports prioritisation. Residual risk rankings show where to invest next.

Links to appetite. Decisions hinge on whether residual risk is within tolerance.

CALCULATION

How to calculate residual risk

  1. Start with inherent Assess risk before controls using likelihood and impact scales.
  2. Apply control effectiveness Estimate how much each control reduces likelihood or impact.
  3. Record the remainder Capture the new score, commentary, and date for transparency.

CADENCE

How to monitor residual risk

  1. Set thresholds Document what “within appetite” vs “above appetite” looks like.
  2. Track deltas Compare residual scores quarter over quarter to see trends.
  3. Escalate breaches When residual risk exceeds appetite, trigger remediation and board updates.
  4. Integrate with registers Ensure every register entry stores inherent and residual values.

Residual risk quick wins

Standardise scoring

Use the same scales across teams for apples-to-apples reporting.

Visualise gaps

Show inherent vs residual bars in dashboards to highlight progress.

Tie to funding

When residual risk stays high, link additional mitigation to budget cycles.

RESIDUAL RISK GLOSSARY SNAPSHOT

Residual risk glossary snapshot

Residual risk. Exposure left after applying controls and mitigation.

Inherent risk. Exposure before any controls.

Risk reduction factor. The percentage or score by which a control lowers risk.

FAQS

Residual risk FAQs

How do we calculate residual risk accurately?

Use consistent scales, document assumptions, and involve subject-matter experts when estimating control effectiveness.

What if residual risk stays high?

Consider additional controls, transfer options (insurance), or accept with board approval.

How does residual risk relate to appetite?

Compare residual scores to appetite thresholds to decide whether more action is required.

Do we need software?

Spreadsheets work initially, but platforms like Drova RunSustainably simplify calculation and reporting.

Drova RunSafe captures inherent/residual scores, controls, and approvals automatically.

Ready to track residual risk clearly?

Learn more about Drova RunSafe

GRC 101 HUB

Explore related topics

Inherent risk explainer

Start with baseline exposure.

Risk controls toolkit

Improve control effectiveness inputs.

Risk register template

Store inherent and residual scores together.

Risk appetite overview

Define acceptable residual levels.

Risk management basics

See how residual risk fits the lifecycle.

Integrated risk guide

Share residual insights across teams.