What is meant by 'residual risk'?

Residual risk refers to the level of risk that remains after an organization has taken steps to mitigate or manage risk through various controls and measures. It acknowledges that while controls can reduce risk, they often cannot eliminate it entirely. For example, even with security protocols in place, there may still be potential vulnerabilities or external threats that can affect an organization.

In the context of risk management, identifying residual risk is crucial because it helps organizations understand what level of risk they are still exposed to after implementing their risk mitigation strategies. This understanding allows for informed decision-making regarding whether to accept, further mitigate, or transfer the remaining risk.

The other options do not align with the definition of residual risk. Some risks may not require controls, and not all risks can be completely eliminated, as indicated in other options. Additionally, limiting the concept of risk to only that from friendly forces does not encompass the overall meaning of residual risk in a broader context. Therefore, recognizing that residual risk is the remaining risk post-implementation of controls is paramount for effective risk management.