The risk that remains after risk treatment is known as:

The risk that remains after risk treatment is referred to as residual risk. This concept is crucial in risk management, particularly in the context of information security and ISO/IEC 27001. When an organization identifies potential risks and implements mitigation measures, some level of risk often remains due to limitations in controls, unforeseen threats, or the need to balance risk against organizational objectives.

Residual risk is important for organizations to understand because it helps them recognize the limitations of their risk management efforts and the necessity of continued monitoring and management of those remaining risks. Acknowledging residual risk allows for informed decision-making regarding whether to accept, transfer, or further treat that risk.

Inherent risk refers to the level of risk that exists before any controls are applied, whereas treated risk does not represent a commonly recognized term in risk management frameworks. Accepted risk would refer to the risk that an organization has formally decided to tolerate, but it does not inherently imply that measures have been taken.