Residual risk, in the world of business and finance, refers to the risk of loss or harm remaining after all other known threats have been eliminated, factored in, or countered. It is the risk that is still present after all efforts have been made to eliminate or minimize risks associated with an investment or business process. After assessing the risk related to an investment or business project, we might not know about the residual risk, or we may be aware of it but know there is not much we can do about it.
Regardless of whether or not we are aware of the remaining risk after factoring out all the known ones, whoever carries out the investment or is involved in the business project assumes the residual risk.
When we purchase an asset, we are exposed to several different risks – many of which are not unique to the asset we bought. There are risk that all assets are exposed to, such as a change in interest rates, a rise or decline in the stock market average, or the overall change in the GDP (gross domestic product) growth rate.
Residual risk is what is left – ‘risk-wise’ – after all the controls – efforts to eliminate or minimize risk – have been completed.
Residual risk refers to what remains after you take out all the risks that you think the asset is exposed to.
Put simply, it is the dangers that remain after you have exhausted all efforts to identify and eliminate or mitigate a risk.
The Financial Times’ (FT’s) glossary of terms, ft.com/lexicon, says that residual risk means the same as non-systematic risk. Non-systematic risk, the FT explains, is the risk that is specific to a particular stock, as opposed to market risk or systematic risk, which is common to an asset class or the overall market.
The word ‘residual‘ on its own means:
– Remaining, after most of something has gone.
– An amount remaining after other things have been allowed for or subtracted.
– The word may also refer to a royalty that a performer or writer is paid for a repeat of a TV show, play, etc.
After eliminating as many potential threats that could harm the baby as possible – the hungry hyena, the baby-eating dragon, and the fierce Tyrannosaurus Rex – the meteor risk remained. The meteor threat was the residual risk.
Car seat-belts and residual risk
Before seat-belts were introduced, the risk of serious injury or death from vehicle accidents was extremely high.
After they were fitted into cars and legislation forced people to wear them while their cars were moving, the incidence of serious injury and death declined considerably.
Even though the installation and use of seat-bets reduced the overall severity of injuries and risk of death, the risk was still there – that remaining risk is the residual risk.
Dealing with residual risk
Individuals, companies, governments and other entities have four ways of dealing with risk:
– avoid it
– reduce it
– accept it
– transfer it
We can transfer the residual risk to an insurer by taking out an insurance policy.
Risky Thinking has the following definition for residual risk:
“The remaining risk associated with a possible event after all mitigation steps have been taken. This is often contrasted with the inherent risk, the risk that exists before any risk mitigation controls have been applied.”
As you can see in this image, an umbrella may reduce your likelihood of getting wet in the rain, but some risk remains. There is the ‘residual risk’ of getting wet when a passing car goes over a nearby puddle and splashes you.
Inherent vs. residual risk
– Inherent Risk: is the risk that an investment, project, or any activity poses if no controls or other mitigating factors are in place.
Inherent risk is also known as the risk before controls or gross risk.
– Residual Risk: – is the risk that is still there after controls have been taken into account. It is what is left over after all efforts to mitigate or eliminate risk have been exhausted.
Residual risk is also called risk after controls or the net risk.
In accounting, inherent risk is the risk of a mistake (misstatement) in the financial statements appearing due to an omission or error that did not result from a failure of controls.
Inherent risks are those that are already there before you started trying to eliminate or reduce them, while residual risks are those that are still there after you have finished trying to deal with them.
According to the Information Security Handbook:
“Inherent and Residual Risk are commonly used terms within the operational risk community, especially by accountants. While Residual Risk is relatively simple to define within the Simple Risk Model (e.g. ‘Residual Risk’ is ‘Risk’ as used in the Model), the definition of Inherent Risk is more problematic.”
“For example, in the auditing community Inherent Risk is defined as the risk that a financial record is incorrect absent any internal controls. In this situation it is tempting to simply equate Inherent Risk to Cost, since both terms refer to the importance of a process or asset to a business before controls (Vulnerabilities) are taken into account. Alternatively, Inherent Risk could equated to the Probability that the financial record is incorrect.”
Video – Residual Risk
In this video, Todd Hutchinson, nicknamed the Corporate Mechanic, explains what residual risk is. He also defines inherent risk.