Certified Governance Risk and Compliance (CGRC) Practice Exam 2025 – All-in-One Guide to Master Your Certification!

Residual risk is the amount of risk that remains after controls have been applied to mitigate the initial risk. It is important to understand how to quantify this risk accurately. The correct relation indicates that residual risk is calculated as a function of threats, vulnerabilities, asset value, and control gaps.

In this context, this specific formula takes into account the remaining exposure from threats that could exploit vulnerabilities in valuable assets, while also considering the effectiveness of existing controls.

- **Threats** refer to potential dangers or sources of harm that could exploit vulnerabilities.

- **Vulnerabilities** are weaknesses or gaps in your system that threats can exploit.

- **Asset Value** represents the importance or worth of the assets at risk, which gives context to the impact of potential threats.

- **Control Gap** reflects the limitations of existing risk mitigation measures in place. This element is crucial because it highlights that even if controls are in place, if there are gaps in their effectiveness, residual risk may still exist.

By combining these elements, the formula in the correct answer captures the essence of residual risk—how remaining risks are shaped by ongoing threats, existing vulnerabilities, the value of what is at stake, and the gaps in controls designed to mitigate these risks. Therefore, option