Residual risk refers to:

Residual risk is defined as the amount of risk that remains after all internal controls, measures, and mitigation strategies have been implemented. In risk management, organizations identify and assess risks, and then they apply controls to mitigate those risks. However, no control is perfect, and there will always be some level of risk that persists even after these efforts. This is the residual risk.

Understanding residual risk is crucial for any organization, including credit unions, because it helps in continuous risk assessment and management. Organizations must recognize and monitor residual risk so that they can make informed decisions about additional controls or risk acceptance based on the remaining exposure. It is important for auditors to assess residual risk to ensure compliance and effective risk management practices are in place.

In contrast, the other options represent different concepts related to risk. The total risk present before any mitigation focuses on the comprehensive risk landscape before controls are applied, while the initial assessment refers specifically to the first evaluation of risk, and the expected loss from potential fraud addresses a specific type of risk without considering broader mitigation effects. Each of these concepts plays a role in risk management but does not capture the essence of what residual risk entails.