Residual Risk

Residual risk is what is left after the mitigation. If a risk has an initial probability of 60% and a cost impact range of £500k–£2m, and the mitigation actions taken reduce the probability to 25% and the maximum impact to £1m, the residual risk is the 25% probability of a £1m impact. Risk registers should record both the inherent risk (before mitigation) and the residual risk (after mitigation), because both are important for different purposes: the gap between them demonstrates the value of the mitigation programme, and the residual risk is what goes into the quantitative risk model.

A critical governance point is that residual risk is the risk the project actually carries. Decisions about contingency, escalation, and risk appetite should be made based on residual risk levels, not inherent risk levels. A project that shows many 'red' risks on an inherent basis but has robust mitigations in place for all of them may actually have a modest residual risk profile. A project that shows mostly 'amber' inherent risks but has implemented few meaningful mitigations may carry a higher residual exposure than the raw register suggests. Always look at both the inherent and residual risk scores together.

The residual risk calculation is only credible if the mitigation actions have actually been implemented and are working. A risk register that shows mitigation actions as 'planned' or 'in progress' and uses a reduced residual probability anyway is understating the true current exposure. Best practice is to update residual risk scores only when mitigation actions have been confirmed as complete and effective. Until then, the risk should be carried at its pre-mitigation level for purposes of contingency calculation and risk reporting. This discipline — separating 'mitigations planned' from 'mitigations implemented and working' — is one of the hallmarks of a mature risk management process.