Residual risk is the risk remaining after security controls have been applied. No system is 100% secure — some risk always remains and must be accepted or addressed further.
Risk treatment options reduce risk to a residual level. Management must formally accept residual risk in writing. Zero residual risk is impossible and not the goal. Document accepted risks in a risk register.