Residual risk explained: why closing findings matters more than scores

Most supplier risk questionnaires produce a score. The supplier answers 40 questions, gets 32 right, and you have a number — let's say 78 out of 100. A week later someone asks "how's our supplier risk programme going?" and you say "our average supplier score is 74." Everyone nods. Nothing has changed.

Assessment scores are useful. But they measure a supplier's posture at a point in time. They don't tell you whether your programme is actually reducing risk — or whether the follow-up work is happening at all.

Residual risk is the framework that answers a different, more important question: after all the assessments, findings, and follow-up work you've done, how much risk remains? And is it going down?

The difference between a score and residual risk

An assessment score reflects how a supplier performed on a questionnaire. It's backwards-looking — it describes the state of the supplier's security at the time they answered. A good score means the supplier answered well. It doesn't mean all risks are addressed, and it doesn't tell you anything about what happened after the assessment.

Residual risk is forward-looking. It tracks the risk that remains after you've identified specific issues and worked to address them. Residual risk goes down when findings are closed. It stays high when findings sit open. And it can be split into two components that matter for management reporting:

• Active residual risk — the risk from open findings that you're actively trying to reduce. This should trend down over time as findings are closed.
• Accepted residual risk — the risk from issues you've assessed and chosen to accept, with a documented rationale. This is a legitimate outcome, but it should be explicit — not a default state that happens when no one follows up.

How residual risk is calculated from findings

Each finding contributes a risk score based on its severity. Critical findings contribute more than high, more than medium, more than low. When a finding is closed — the supplier has implemented the required control, for example — its contribution to residual risk drops to zero. When a finding is accepted, its contribution moves from active residual risk to accepted residual risk.

This means the residual risk for a supplier starts at a high point when findings are first created and should decrease over time as work is done. The burn-down — the rate at which residual risk is declining — is one of the most useful metrics for communicating programme health to leadership.

What management reporting should show

When a board, CISO, or steering committee asks "how is our supplier risk programme performing?", an assessment score average is a weak answer. A better answer uses residual risk metrics:

• Initial risk identified: Total risk identified across all supplier assessments this period.
• Residual risk remaining: How much of that risk is still open (active findings not yet resolved).
• Accepted risk: How much has been explicitly accepted and documented.
• Risk reduced: The difference — how much risk has been closed through active remediation.
• Trend: Is residual risk going up (more findings being created than closed) or down (programme is making progress)?

This is the story regulators and auditors want to see too. NIS2 enforcement guidance and ISO 27001:2022 both expect evidence that supplier risk is being actively managed — not just assessed and scored.

Why accepted risk visibility matters

Accepted risk gets a bad reputation because it's sometimes used as a dustbin for things no one got around to fixing. Done properly, it's a legitimate and important part of risk management.

Some findings genuinely cannot be resolved — a critical supplier in a market with no viable alternatives may have a security gap you can mitigate but cannot eliminate. Accepting that risk, with a documented rationale, compensating controls, and a named approver, is the right response.

The key requirements for a defensible accepted risk record:

• What is the specific risk being accepted?
• Why is it being accepted rather than remediated?
• What compensating controls are in place (if any)?
• Who approved the acceptance and when?
• Is there a review date — a point at which the acceptance will be reconsidered?

An accepted risk with this documentation is a controlled position. An open finding that was never followed up is not.

Building a residual risk programme in practice

You don't need sophisticated tooling to start tracking residual risk — but you do need some discipline around how findings are managed. The minimum viable process:

• Every identified gap from an assessment becomes a finding with a severity.
• Every finding has an owner and a target resolution date.
• Finding status is reviewed at a regular cadence (monthly or quarterly for critical findings).
• Closed findings are documented with how they were resolved.
• Accepted findings are documented with a rationale and review date.
• A summary of open findings, closed findings, and trend is produced for management review at least quarterly.

In a spreadsheet, this is manageable for 10–20 findings. At 100+ findings across 30 suppliers over multiple assessment cycles, a purpose-built tool makes a real difference — both for the quality of tracking and for the ability to generate management-ready reporting quickly.