Residual risk is the remaining risk that you decide you are willing to live with after reviewing the threats and vulnerabilities and applying safeguards. The residual risks will include the remaining vulnerabilities to the medical record systems after the recommended security controls have been implemented.