Inherent Risk
No controls in place
A theoretical baseline. Shows your raw exposure before any security programme is taken into account. Typically scores at or near the maximum.
Current Risk
With existing controls
The level as it stands today. Reflects what your current measures actually achieve. This is your real starting point for treatment decisions.
Target Risk
After planned treatment
The level you aim to reach once treatment actions are implemented. Must sit at or below your acceptance threshold.
Residual Risk
The gap to close
The difference between current risk and target risk. Closing this gap is the job of your treatment plan.