ISC2 Governance, Risk and Compliance (CGRC) Practice Question

Residual risk equals the portion of inherent risk that remains after control effects are considered. A straightforward quantitative method multiplies the inherent risk value by the percentage of risk left over: Residual Risk = Inherent Risk × (1 − Control Effectiveness). With an inherent risk of 48 and controls that are 75 percent effective, 25 percent of the risk remains. 48 × 0.25 = 12.

The choice of 36 reflects subtracting the effectiveness percentage directly from the score (48 − 12) but does not account for proportional reduction; 48 retains the full, unmitigated risk; 60 suggests risk has somehow increased, which is incorrect. Therefore, 12 is the correct residual risk value to record.