Skip to content

Residual risk & closure

Purpose🔗

In the Residual Risk & Completion section you assess, after implementing the measures, what risk remains. This assessment serves as evidence for management, internal audit, or external auditors that risks are consciously accepted or further treated.

Usage🔗

From Initial Risk to Residual Risk🔗

From the risk analysis you know:

  • Initial risk (gross risk before measures)
  • Gross acceptance level

After implementing or planning measures you assess:

  • Residual risk (net risk after measures)
  • Net acceptance level or net net (depending on configuration)

To do this, you adjust — based on the measures — the assessment of likelihood and impact.

Residual Risk Assessment Procedure🔗

  1. Select a risk for which measures have been completed or largely implemented.

  2. Open the Residual Risk section.

  3. Update the assessment (likelihood and impact) taking into account the implemented measures.
  4. The new residual risk class is calculated automatically.
  5. Decide whether the residual risk:
  6. is accepted (including a brief justification), or
  7. requires further measures.
  8. Close the risk treatment once the decision is binding.

Example:

  • Before measures: Likelihood "high", Impact "high" → Initial risk "very high".
  • After measures: Likelihood "very low", Impact "medium" → Residual risk "low".

Completing the Risk Assessment🔗

When you are satisfied with the residual risk assessment:

  1. Click "Complete Risk Assessment" (label may vary).
  2. The assessment is marked as completed.
  3. The results feed into:
  4. the risk matrix,
  5. the risk overview,
  6. reports and audit evaluations.

Should the situation change later (e.g. new infrastructure, different BIA results), you can:

  • Continue the risk assessment to update it, or
  • archive and restart to create a new version with a timestamp.

Historical Comparisons🔗

Archived assessments are displayed in the Risk Overview under Archive section.
There you can, for example, for a specific asset and a specific risk:

  • view all previous assessments,
  • the respective point in time,
  • measures and acceptance decisions

and compare them with each other. This is particularly useful for audits and management reviews.

Notes & Best Practices🔗

  • Keep the justification for risk acceptance brief but comprehensible (e.g.: "Residual risk accepted, as further measures would be disproportionate").
  • Also use this section as preparation for management reports or audits.