Any business venture carries risk. Most inherent risk can be identified and mitigated through the implementation of countermeasures -- but no countermeasure can completely eliminate risk. Residual risk is the amount of risk that remains once countermeasures are in place. This level of risk is hard to calculate accurately, because much of it involves unforeseen events. However, it is possible to estimate the level of residual risk and determine whether it falls within acceptable limits. Doing so may help to decrease the likelihood of a catastrophic incident and further mitigate loss should such an incident occur.

Identify potential threats that remain after known risks have been accounted for and mitigated with countermeasures. For example, you might have a two-story retail space in a location that’s prone to flooding and have already purchased enough flood insurance to cover everything on the ground floor, but inventory and equipment on the second floor may not be covered in the event of an extreme flooding scenario.

Estimate the cost of each threat you’ve identified. Using the flood scenario, this would be the cost of damage incurred should water levels reach the second floor.

Determine the probability of each threat. How likely is it that flood waters would reach the second floor of your retail space?

Multiply the cost of the threat by the probability of its occurrence to determine your vulnerability. If the cost of damage of a second-floor flood would be $10,000, and the probability of flood waters rising that high is 10 percent, you would multiply 10,000 by 0.10. Your vulnerability, or expected loss, would be $1,000.

Identify whether any further measures can be taken to counter the risk and mitigate expected loss.

Estimate the value of a countermeasure by multiplying the expected loss by the amount that would be mitigated by the countermeasure. If you purchase additional flood insurance to cover 60 percent of the expected loss in a second-floor flood, multiply $1,000 by 0.60. In this case, the value of the countermeasure is $600.

With additional countermeasures in place, re-assess the residual risk by subtracting the value of the countermeasures from the expected loss. In the second-story flood scenario, subtract $600 from $1,000. This would leave you with a residual risk value of $400.


Determine whether the vulnerability lies within acceptable risk limits. For example, you might decide that providing countermeasures for the expected loss would cost more than it would to absorb the cost if an event occurs.