Residual risk is the risk that remains after all planned controls and measures have been implemented. No security programme can eliminate risk entirely. The critical point is that residual risk must stay below the defined risk-acceptance threshold and be formally accepted by senior management. In your ISMS you document both the gross risk (before controls) and the net risk (after controls) for each risk scenario. The difference demonstrates the effectiveness of your controls. Regular reviews ensure that changing conditions do not silently raise residual risk beyond the accepted level.