How to Define Residual Risk

Residual risk is the risk that remains after all the planned risk treatments have been implemented. 

Residual risk is the risk that remains after all the planned risk treatments have been implemented.

Q:        After reviewing our latest headquarters physical security risk assessment and its risk treatment plan, our newly onboarded Chief Risk Officer asked where the residual risk was documented. What is residual risk?

A:        Residual risk is the risk that remains after the risk treatment plan has been fully implemented.

Residual risk applies to both physical security and information security (infosec), because it applies to any area of risk management. It’s just a label for the risk that still remains after all the risk controls are put in place.

Although residual risk is rarely discussed or documented in physical security practice, it is considered and documented in standard infosec practice and doing so is required by many infosec standards, such as ISO 27001 and OCTAVE (Operationally Critical Threat and Vulnerability Assessment).

Physical Security and Residual Risk

The general formula for addressing physical security risk is: Identify the critical assets and risks to them, formulate a risk treatment plan that will reduce the risks to acceptable levels, implement the plan and monitor the results, and reassess at appropriate intervals and upon changes to the business including its risk picture. I’ll elaborate on this using an almost ridiculously small and simple – but nonetheless real – example from the days when paper documents still were in common use.

The Case of the Disappearing Stapler

A main lobby receptionist had many business responsibilities in addition to low-volume front lobby visitor management. An important tool for her was a heavy-duty paper stapler. Not only did she use it many times daily herself, but she also loaned it to junior and senior employees working in nearby meeting rooms or in the nearby snack room. The receptionist valued the positive public relations effect of loaning the stapler to other employees. Many people had come to depend on that stapler.

The frequency of its loss by theft or unreturned borrowing rose from occasional to weekly, to the point where it was interfering not just with her work but the work of others who had come to depend on the stapler being available. Daytime losses from borrowing were rare but increasing slightly. Sometimes people borrowed it without telling her, so she didn’t know where to look for it when it had been borrowed. Much worse, night thefts had risen from rare to less than monthly to and now weekly. They weren’t being captured on the sole video camera, which didn’t have a direct view of her desk area.

Addressing the Risk

The manager over the reception area wanted to eliminate the cost of stapler replacement. The receptionist wanted to have 100% availability of the stapler for all uses. The manager proposed a simple technical solution using a security cable to attach the stapler to her desk area behind the lobby counter. However, that would have limited her use of the stapler and eliminated the ability to loan it out. A good risk treatment approach would result in improved use of the stapler.

The receptionist gave it some thought and recommended instead a combination of people, processes and technology. She requested that the company install a lock to one of her work area drawers so she could lock the stapler up at night. That would handle the nighttime thefts (the biggest risk). Daytime losses, though rare, could occur (residual risk).

The receptionist accepted the residual risk of stapler loss by volunteering to replace any unreturned staplers at her own cost (residual risk transfer from the company to herself). She then addressed the residual risk in three ways. (1) She put a label on the stapler containing her name and where to return it. (2) She bought two extra staplers at her own expense (for backup redundancy), so that the loss of just one stapler would have no business impact. (3) She created a small “stapler use log” so when people borrowed the loaner stapler, she knew who to approach to get it back (asset tracking).

Business Risk

The actual business discussion in which this solution evolved took less time than reading this column. But its story lets me make several points. The first of which is that the people involved didn’t think about it as a risk management problem. They didn’t call it loss prevention or asset protection. They just saw negative business impacts on a growing trend and decided to do something about it.

Physical security risks are a subset of common business operational risks, the management of which can be delegated to a specialized business function: Security. Security practitioners are business managers focused on security. The second point is that the individual who produced the best business solution was the person closest to the problem, who understood all the people-process-technology dynamics involved, including the business workflows at risk, and was willing to take on the smaller aspects of risk personally. Finally, the end result was improved business operations for all around. That’s the ideal situation for any risk treatment solution. 

Why Consider Residual Risk?

It is important to consider residual risk, as it may change over time due to internal or external changes impacting the business risk picture. Residual security risk is part of the overall aggregate risk picture. Residual risk of all kinds can affect insurance premiums and deductibles, positively or negatively depending on the direction of risk change. Residual risk that is acceptable today for any part of a facility may not be tomorrow. Good change management includes an understanding of residual (i.e., currently-acceptable) risk sufficient to recognize how business change may affect the continuing acceptability of the risk.