What is the difference between inherent risk and residual risk?

The main idea here is how risk changes when you apply controls. Inherent risk is the level of risk that exists in the absence of any controls—the risk you’d face if nothing were done. After you implement controls—policies, procedures, safeguards—the remaining risk is residual risk. It’s the portion that still exists even with controls, and it may be accepted based on the organization’s risk appetite or require further action if it’s too high. For example, handling sensitive data has inherent risk due to potential breaches; encryption, access controls, and monitoring reduce that risk, but some residual risk remains because no control is perfect. The other notions aren’t accurate: residual risk isn’t zero in practice, and inherent risk isn’t defined as only external risk—it’s the risk present before controls, arising from the nature of the process and environment.