Residual Risk

Residual risk is the level of risk that remains after security controls have been applied. The difference between inherent risk and residual risk reflects the effectiveness of a vendor's security program. Risk acceptance decisions are made against residual risk, not inherent risk.