# How to Calculate Residual Risk

by Ryan Menezes

A comprehensive risk-management system must evaluate the costs of all possible hazards. These hazards come in the form of specific threats that can hit you and in the form of vulnerabilities in your system that expose you to the different threats. Ideally, countermeasures will fully protect you from every foreseeable attack, but few plans can cover every contingency. The residual risk describes the cost of a threat that remains after after you've implemented a countermeasure.

1. Estimate the cost of a specific threat. For example, suppose that you are valuing the residual risk on a policy protecting your company from a fire, and suppose that the fire will produce \$600,000 of damage.

2. Estimate the probability of the threat occurring. Continuing the example, suppose that the fire has a 1.5 percent chance of occurring.

3. Multiply the threat's cost by its probability of occurring. With this example, multiply \$600,000 by 0.015 to get \$9,000. This is the expected loss from the threat.

4. Multiply the threat's expected loss by the portion of it that your countermeasure covers. For example, if you have invested in an insurance policy that covers 80 percent of your losses, multiply \$9,000 by 0.80 to get \$7,200. This is your policy's expected worth.

5. Subtract the policy's expected worth from your expected loss. Subtracting \$7,200 from \$9,000 gives \$1,800. This is the threat's residual risk.