Residual

Residual risk is what remains after controls are applied (inherent − controls = residual) — no control set reduces risk to zero. This leftover is the decision point for leadership: accept it, transfer it (insurance), or invest in further mitigation. Whatever the choice, accepted residual risk should be documented, time-bound, and assigned an owner who revisits it on schedule.