Before writing this blog post about residual risk, I thought about how this topic translates into my own life. According to ISO 27001, residual risk is "the risk remaining after risk treatment." In other words, once risks have been identified and treated, what are the remaining risks? And, importantly, is the business willing to accept that level of risk or not?
I'm sure you'll have your own examples, but when I think about the ISO 27001 definition, I instantly relate it to driving my car.
I know that by driving a car on a public highway, notwithstanding how carefully I drive, there's a "residual risk" of an accident—the unknown. However, what I do know is that I can massively reduce the likelihood of that accident happening if I've got my seat belt on, have serviced the car properly and remember my driving lessons and experience from years of being behind the wheel. In other words, I'm actively treating the risk and safeguarding myself and my passengers.
In my example, I've considered the likelihood of an essentially "unknowable" risk (that is, we know traffic accidents are an ever-present risk, but we can't reliably know when that risk will manifest itself as some kind of incident). There are, however, other categories of risk, and most of us will no doubt remember former U.S. Secretary of Defense Donald Rumsfeld's famous classification of risk into three categories: "As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know."
To deal with risks in the category of "known knowns," organisations identify, assess and manage risks to avoid surprises. Many organisations use a risk management information system to monitor and reduce residual risk across four evaluation criteria:
- The impact of a specific threat
- The probability of a specific threat
- The vulnerability of the asset
- The value of the asset
Residual risks that fall into the categories of "known unknowns" and "unknown unknowns," however, are inherently more difficult to identify than the "known knowns." Doing so relies heavily on the experience of risk managers and company directors, assisted with accurate data from across the organisation.
A challenge during the risk assessment process is to reduce the presence of unknown risk. But one of the big questions here is, is it possible to prevent and, consequently, manage risks in the "unknown unknowns" category? If so, how? Does it require the input of multi-disciplinary teams? Keeping an open mind and thinking creatively when assessing risks? Reducing the likelihood of a risk, based on analysing historic data and applying the learnings from real life cases?
