Residual risk is what the organization actually faces after accounting for all safeguards, policies, and response plans in place. It must be evaluated against risk appetite and tolerance to determine if additional treatment is required. A cloud provider might reduce data breach inherent risk from high to medium through encryption, access controls, and monitoring, leaving medium residual risk that management accepts. Organizations continuously monitor residual risk because control effectiveness can degrade over time or new threats can emerge, changing the risk profile.