What is residual risk monitoring in risk management?

Residual risk monitoring is the ongoing oversight of the risk that remains after you have put controls in place. After hazards are identified and risks are assessed, mitigation actions reduce risk, but they rarely eliminate it completely. The remaining risk—what still could materialize despite the controls—needs to be continually watched to ensure it stays within the organization's tolerance and that the controls continue to work as conditions change. This monitoring involves tracking relevant metrics, reviewing control effectiveness, and deciding if further mitigations or changes are needed when indicators show the residual risk rising above acceptable levels. For example, in IT security, even after patching known vulnerabilities, some residual risk remains due to new threats or misconfigurations; residual risk monitoring keeps an eye on this remaining risk and prompts action if it grows.