CRMA· IIA
Certification in Risk Management Assurance (IIA)
IIA’s CRMA specialises audit on risk management (ERM, COSO ERM 2017, Three Lines Model). Single 10-week exam path.
Term DefinitionRisk
Residual Risk
The level of risk remaining after controls and mitigations have been applied.
Residual risk is the net exposure after accounting for existing controls. The objective is for residual risk to remain within the risk appetite defined by the board. If it exceeds this threshold, additional controls, risk transfer (insurance), or a treatment plan are required. Comparing inherent and residual risk is a key indicator of the maturity of the risk management program.
📌 Key points
- Residual risk must remain within the risk appetite boundaries
- If residual > appetite: action required (additional controls, transfer, avoidance)
- The inherent-to-residual reduction demonstrates the value of the control program
- Residual risk evolves over time — it must be reassessed regularly
- Residual risk accepted without treatment = documented risk acceptance
Related certifications
These certifications cover the concept of "Residual Risk" in depth.
CIA· IIA
Certified Internal Auditor (IIA, 3 Parts)
The IIA CIA certification covers this concept in Part 1 (framework, IPPF) and Part 2 (audit practice). 60+ lessons and 1,258 original questions.
CISA· ISACA
Certified Information Systems Auditor (ISACA)
ISACA’s CISA targets IS audit. 5 domains, ITAF and COBIT, 2,300+ questions with AuditBot explanations.
🔗 Related concepts
RiskRiskControlsRiskRisk
Inherent Risk
The level of risk before any controls or mitigations are applied.
Risk Appetite
The level of risk an organization is prepared to accept in pursuit of its objectives.
Control Objective
A statement of what a control aims to ensure.
Risk Register
A centralized document listing all identified risks of an organization.
Key Risk Indicator (KRI)
A metric measuring the evolution of risk exposure over time.
📖 Related articles
Master this concept and more
Start your GRC certification journey today.