What is residual risk and why is it important to monitor?

Residual risk is the level of risk that remains after you’ve put in controls and mitigations. It matters to monitor because controls can’t eliminate all risk, and the threat landscape can change—new vulnerabilities, changes in operations, or controls aging can raise the residual risk. Ongoing monitoring helps ensure this remaining risk stays within the organization’s risk appetite and signals when you need to adjust controls or responses. For example, even with patches and safeguards, some exposure might persist, so you continuously track it and respond as needed. The initial risk before controls, the idea of reducing to zero, risk after project completion, or risk tied only to external factors and audits don’t capture this ongoing, post-control exposure.