When do we identify Residual Risk?

ukrainka85 said:

Yes and no. This is where my confusion comes from. It sounds like some people say residual risk should be estimated up front to show how our controls deal with inherent risk. Other people say that residual risk should be measured after controls have been implemented. There are different scenarios. It seems that when we have existing controls, we should calculate residual risk to see if those controls are already effective to treat new or existing risks. If yes, residual risk should be recorded. If no (no controls or they are not effective), we will need to develop additional risk treatment actions. In this case, it is irrelevant to estimate residual risk because it doesn't seem to add value. See diagram. Why would we estimate it? View attachment 26169

View attachment 26169

Click to expand...

Ukrain

Take a look at 31000, check what is in bold

5.5 Risk treatment
5.5.1 General
Risk treatment involves selecting one or more options for modifying risks, and implementing those options.
Once implemented, treatments provide or modify the controls.

Risk treatment involves a cyclical process of:
⎯ assessing a risk treatment;
⎯ deciding whether residual risk levels are tolerable;
⎯ if not tolerable, generating a new risk treatment; and
⎯ assessing the effectiveness of that treatment.
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options
can include the following:
a) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
b) taking or increasing the risk in order to pursue an opportunity;
c) removing the risk source;
d) changing the likelihood;
e) changing the consequences;
f) sharing the risk with another party or parties (including contracts and risk financing); and
g) retaining the risk by informed decision.

Additionally:

In 2.27
residual risk
risk (2.1) remaining after risk treatment (2.25)

Hope this helps

ukrainka85 said:

Yes and no. This is where my confusion comes from. It sounds like some people say residual risk should be estimated up front to show how our controls deal with inherent risk. Other people say that residual risk should be measured after controls have been implemented. There are different scenarios. It seems that when we have existing controls, we should calculate residual risk to see if those controls are already effective to treat new or existing risks. If yes, residual risk should be recorded. If no (no controls or they are not effective), we will need to develop additional risk treatment actions. In this case, it is irrelevant to estimate residual risk because it doesn't seem to add value. See diagram. Why would we estimate it? View attachment 26169

View attachment 26169

Click to expand...

HI ukrainka85, my understanding is as follow:
1 before we propose the control measures to reduce the risk, indeed, we need to ensure the control measure is effective that can reduce the risk. in this case, we need to evaluate the risk level before the implement the control measures. But also i see some companies donot have the evaluation before the implementation. It is ok but it will bring the risk that it is possible after the control measures the risk is still unacceptable. In this case, the effort for the control is waste of time. So, it is better to do the evaluation before the implementation of the control measures. Also, implement the control measures could bring additional risk which need evaluation.
2 After the implementation, there should also evaluation on the risk that is because during the implementation, maybe there could be some risk that is not considered before.