The risk that remains after controls have been applied to treat it.
Residual risk is what is left once treatment has reduced the original, inherent risk. No set of controls removes risk entirely, so some level always remains.
Management must formally accept the residual risk, confirming it falls within the organization's risk appetite. In an ISMS this acceptance is a documented decision by risk owners.
Related frameworks
KaitoSec