Most organisations talk about “risk” all day and still operate blind. The reason is simple: risk awareness is treated like a training slide, not an operating discipline.
And then we do the second common mistake: we treat residual risk as a number on a heatmap, instead of a decision that leadership has actively accepted.
This dispatch combines the two, because in practice they are inseparable.
1) Risk awareness is not a poster
Risk awareness means people understand three things, consistently:
- What can break (assets, processes, services, obligations)
- How it breaks (threats, failure modes, control weaknesses)
- What we do when it breaks (detection, escalation, containment, recovery)
If your “awareness” stops at generic phishing training, you have compliance awareness, not risk awareness.
2) Residual risk: the part you still own
Residual risk is the exposure that remains after you consider the control environment (design + operating effectiveness) and any planned remediation that is actually funded and scheduled.
A practical way to keep this defensible is to separate the logic:
- Inherent risk: exposure assuming controls fail or don’t exist
- Control risk: likelihood controls do not prevent/detect/correct as intended
- Residual risk: the remaining exposure you consciously accept
3) Why residual risk never goes to zero
If someone expects “zero residual risk”, they are asking for either:
- an infinite control budget, or
- a fake report.
Residual risk is a reflection of risk appetite. The job is not to eliminate it—it’s to keep it inside a threshold that leadership has agreed, understands, and revisits.
4) Measuring residual risk without theatre
Don’t over-engineer it. Measure what you can defend.
- Start with a bounded scoring model: impact × likelihood, mapped to your service taxonomy (critical services, key processes, crown-jewel systems).
- Score controls by evidence, not opinions: evidence of operating effectiveness (logs, tickets, config baselines, reconciliations, attestations).
- Separate “implemented” from “designed”: a control that exists on paper is not a control.
- Track residual risk movement: remediation should move the needle. If it doesn’t, your control design is wrong or your measurement is wrong.
5) Benchmarking: the only benchmark that matters
You cannot benchmark residual risk against another firm’s heatmap. You can only benchmark against:
- your own risk appetite / tolerance, and
- your regulatory obligations for the services you provide.
When leadership tightens tolerance (e.g., from 20% to 10%), you don’t “work harder”—you change the control mix. Monitoring-only controls won’t cut it; you’ll need more preventive and corrective controls, and that means cost.
6) What good looks like (quick checklist)
- Residual risk is linked to named owners and critical services.
- Every “accepted” risk has a time bound and a re-approval cycle.
- Risk acceptance is supported by evidence (control performance), not narrative.
- Exceptions create issues with due dates—no permanent waivers.
- Board/Audit Committee reporting is trend + decisions, not a static heatmap.
If you implement only one change: make “risk acceptance” a disciplined workflow, with evidence, expiry dates, and a real approver. That single move eliminates a surprising amount of GRC noise.
Collaboration welcome: corrections, counterexamples, and build ideas — grcguy@rtapulse.com • Discussions • Issues • How to collaborate.