Which term denotes risk remaining after risk treatment, which may include unidentified risk?

The idea being tested is that after risk treatment, some risk still remains. This leftover risk is called residual risk, and it happens because controls and mitigations can reduce both the likelihood and impact of threats but rarely eliminate all risk entirely. It also acknowledges that not all risks can be identified upfront; unknown or emerging risks may still exist even with a robust program, so there’s always some level of risk that remains and must be monitored and managed within the organization’s risk tolerance. Prevention focuses on stopping events from happening in the first place, so it’s about reducing exposure early rather than describing what remains after treatment. A Response and Recovery Plan is about what to do during and after an incident, not the amount of risk left. Resilience refers to the system’s ability to withstand, adapt to, and recover from disruptions, which is about capabilities rather than the numerical level of risk remaining.