Case Study | Title: Residual Risk - GRM Institute

Case Study | Title: Residual Risk

By Kartik Sarin

PGDRM Batch July’20-21


Residual Risk
  • The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.
  • In simple words “It is the risk remaining after risk treatment”.



Risk Mitigation Process


Even after the risk mitigation process, we won’t be able to eliminate certain risks and these are basically known as Residual Risk.


Purpose of Residual Risk

The purpose of residual risk is to find out whether the planned controls and treatments are “sufficient”.
It means making a decision about how much Risk Appetite an organization has.


Once we find out the Residual Risks, what do we do with them?

We have three options:

Option 1: If the level of risks is below the acceptable level of risk, then we do nothing – the management needs to formally accept those risks.

Option 2: If the level of risks is above the acceptable level of risk, then we need to find out some new (and better) ways to mitigate those risks – that also means we’ll need to reassess the residual risks.

Option 3: If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, then we need to propose to the management to accept those high risks.


Examples of Residual Risk

Risk Avoidance: A business decides to avoid the risk of developing new technology because the project in which it is to be used has many risks. The Residual Risk here is that the competitor can develop the same technology instead and gain a competitive advantage.

Risk Transfer: A homeowner may transfer the risk of flood damages by taking insurance. The Residual Risk would include that the insurance company can go bankrupt and fail to pay the insurance amount.

Risk Reduction: An airline company reduces the risk of accidents by improving maintenance procedures. Residual Risk can be that due to human intervention steps could be skipped in the procedures.
Risk Acceptance: On risk acceptance, the entire risk becomes residual risks since we are not doing anything to mitigate it. Example: If an investor thinks that the rewards on an investment outweigh the risk, he would accept that risk and would make the investment. Here, the amount of investment would be covered under Residual Risk.
Important: When controls put in place are effective, both Inherent Risk and Residual Risks are low. However, it is to be noted that Residual Risks are always lower than the Inherent Risks.




This report has been produced by students of Global Risk Management Institute for their own research, classroom discussions and general information purposes only. While care has been taken in gathering the data and preparing the report, the student’s or GRMI does not make any representations or warranties as to its accuracy or completeness and expressly excludes to the maximum extent permitted by law all those that might otherwise be implied. References to the information collected have been given where necessary.

GRMI or its students accepts no responsibility or liability for any loss or damage of any nature occasioned to any person as a result of acting or refraining from acting as a result of, or in reliance on, any statement, fact, figure or expression of opinion or belief contained in this report. This report does not constitute advice of any kind.


Design and Developed by KodeForest @ All Rights Reserved by KodeForest