How to Calculate Residual Risk

Blog post Team CENTRL 2022-06-03

The notion of residual risk should be used as part of your business continuity management strategy while developing business recovery strategies. In this manner, you’ll know whether or not the business recovery plans you’ve set in place are effective.

Residual risk, which is closely linked to inherent risk, can be used to justify the time and resources needed to support your recovery needs. It is, by definition, the risk that remains after all attempts to identify and eliminate risk have been made.

To put it another way, are you doing enough to help your company recover? Again, a residual risk calculation will provide you with a definitive answer.

What is Residual Risk?

Residual risk is the threat or vulnerability that persists after all risk treatment and remediation measures have been completed, referred to as residual risk.

Even with a well-designed vulnerability sanitation program, residual risks will always exist; they are part of the risk management process.

Because residual risks will always exist, managing them entails establishing an acceptable risk threshold and then implementing regulatory programs and solutions to mitigate any new risks below that threshold.

Residual risks are typically assessed in the same way as initial chances are - using the same methodology, evaluation scales, etc. What’s different is that you have to consider the impact of controls (and other mitigation strategies); therefore, the likelihood of an incident is usually reduced, and the effect is sometimes even reduced.

Why is Residual Risk Important?

Residual risk is significant since it must be mitigated to comply with ISO 27001 criteria. This shared information security standard is part of the ISO/IEC 2700 family of best security practices. It helps businesses quantify the security of assets before and after they are shared with vendors.

Before sharing data with any vendors, enterprises must execute a residual security assessment in addition to inherent security measures to be compliant with ISO 27001. Hence, the impact of risk controls is heavier.

However, after the US President signed the Cybersecurity Executive Order in 2016, residual risk has become much more critical in 2021. To mitigate the effect of third-party breaches by nation-state threat actors, enterprises must now drastically decrease residual risks throughout their supply chain.

How To Calculate Residual Risk

You shouldn’t ignore the possibility of residual risks. In reality, residual risk is defined as the risk that remains after all other risks have been addressed. Residual risk should be a minimal percentage of the risk level present in the activity if no controls were in place.

To keep residual risk to a minimum, you must choose the optimum control measure, or measures, for each activity. We’ll show you how you can achieve this in the following steps.

Step 1: Determine the inherent risk factor.

The maximum permissible period that can elapse before the breakdown of a business function has a significant impact on the company is referred to as Recovery Time Objective (RTO). This technique will assist you in determining which recovery plan should be completed first to speed up the process.

Each business unit’s RTOs and business processes should have been identified as part of the Business Impact Analysis (BIA) process, which gives you a clear picture of how critical your business operations are based on the processes they perform and helps you identify the dependencies that must be in place for those processes to run. It is, in essence, the bedrock of any solid continuity plan.

Next, you must protect your company from potential threats. Each RTO performed would be assigned a corresponding impact score. For example

  • 1 = Negligible impact
  • 2 = Minimal impact
  • 3 = Moderate impact
  • 4 = Critical impact
  • 5 = Catastrophic impact

Critical business units have a high level of severity, and a disruption to them would significantly impact the business. Knowing your RTO can ensure that your organization is prepared for any potential disruption.

After knowing this, it is necessary to calculate the risk tolerance for the management level, i.e., to analyze the potential threats to which the company is exposed. In this step, it is essential to specify a threat to the company and draw up a comprehensive report on the risks present in the business unit.

What Does The Score Mean?

The risk scores have a range from 2.0 to 5.0. So, a 4 to 5 indicates that the strategy has a significant level of inherent risk. A score of 3 to 3.9 indicates a moderate level of danger. Anything more minor carries a low level of trouble for your business.

Step 2: Establishing a risk tolerance threshold for management is essential.

First and foremost, managers must understand the significance of cybersecurity and risk management. The notion of residual risk calculation and its significance will be unfamiliar to most managers. Your responsibility is to explain how it works and why it is vital to the management team.

Risk prioritization and management will be more effective and efficient due to this.

You must then advise management on an acceptable level of risk tolerance. To do this, you must define and establish a tolerable level of inherent risk. A lower percentage means that tighter controls are required, and those controls will lead to better recovery.

After establishing the mentioned percentage, the management’s risk tolerance level should be calculated. This is done by multiplying the risk tolerance percentage by the inherent risk factor. The resulting score is your risk tolerance.

This will help you determine how much risk your company is willing to accept to meet your objectives and defend your company from cyberattacks and data breaches. Most importantly, you will gain peace of mind knowing that your company is secure and avoid costly damages and repairs due to a cyber-attack.

For Example, We determined our risk tolerance to be low based on a 5 intrinsic risk factor (business impact score) (10 percent). The risk factor is multiplied by the risk tolerance (10% x 5) to get 0.5. As a result, your risk tolerance is 0.5. Subtract 0.5 from 5 to get your risk factor tolerance score, 4.5. To be within tolerance, our mitigating controls must be in a state where their degree of capability adds up to 4.5 or above.

Step 3: Examine and grade your mitigating actions.

First, you should assign weights to your mitigating controls based on their importance to prioritize your most critical controls for fast and effective recovery. This will reduce supplier risk to ensure uninterrupted service.

The following controls, in our opinion, protect a recovery plan:

  • Analyze business impact
  • Recovery action plan
  • Recovery exercises
  • Third-party vendor risk awareness and training plan
  • Recovery team

Consider the following: Does my recovery strategy align with the recommendations in the standards? Based on your answer, give each control a rating of 1 (poor), 3 (average), or 5 (excellent) based on how well it meets the required characteristics (best practices). Throughout this process, you must ensure compliance with federal regulations.

As a final step, multiply the score by the weight of each control. Then add up all your results to get a single overall score for your mitigation controls (your mitigation control status).

For Example: Multiply 10% by 5 to get a weighted score of 0.5 for this mitigating control if the BIA is rated 5 (best practice) and is weighted 10%. Carry out the same procedure for each of the controls. To establish your total mitigation control status, add the scores for each.

Step 4: Calculate your residual risk.

Compare the mitigating control state to the risk factor tolerance number to complete the residual risk formula. Take a look at the resultant figure. How close is it to the number for risk factor tolerance? If it’s equal to or higher than the risk factor-tolerance value, you’re comfortably within a tolerance range. The business recovery strategy you devised is spot on.

The plan is insufficient if the figure is lower than your risk tolerance. Depending on how far off the mark you are, you may need to take further steps to strengthen your business recovery strategy.

Calculate your Residual Risks easily with Vendor360

Using spreadsheets or other ways to keep track of residual risks and their implications for your business might be difficult. This program can assist you in making your risk assessment process more efficient.

Vendor360 is a comprehensive and customizable high-risk management tool for identifying and collecting any residual risks in your company.

The platform provides a simple user experience mixed with extensive automation and analytics to help with most of the process. It also uses inherent risk analysis and risk mitigation to undertake due diligence on suppliers and evaluate good supplier controls.

Schedule a demo right away to learn how it can help you streamline your Third-Party Risk Management Program!

Similar resources

More resources