Residual Risk

From BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
Jump to navigation Jump to search
1. Residual Risk is the remaining risk which cannot be defined in more detail after elimination or inclusion of all conceivable quantified risks in a risk consideration.
BL-B-5 Click to know more

Notes: Residual risk is the level of uncontrolled risk remaining after the risk treatment.

Related Terms: Risk Acceptance, Risk Treatment, Risk Tolerance

BCM Institute's Professional Training and Certification
BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2B: Intermediate (BC)


BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2C: Intermediate (CM)


BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2D: Intermediate (DR)
Click to know more about expert level training

(Source: Business Continuity Management Institute - BCM Institute)

A Manager’s Guide to ISO 22301 Standard for Business Continuity Management System

2. Risk remaining after risk treatment.

(Source: ISO 22399:2007 – Societal Security - Guideline for Incident Preparedness and Operational Continuity Management) - clause 3.30


3. Risk (2.1) remaining after risk treatment (2.25)

Notes (1) : Residual risk can contain unidentified risk.

Notes (2) : Residual risk can also be known as “retained risk”.

[ISO Guide 73:2009, definition 3.8.1.6]

(Source: ISO 31000:2009 – Risk Management — Principles and Guidelines) - clause 2.27


4. The level of uncontrolled risk remaining after all cost-effective actions have been taken to lessen the impact and probability of a specific risk or group of risks, subject to the organizations risk appetite.

(Source: Business Continuity Institute - BCI)