Describe the difference between inherent risk and residual risk.

Distinguishing risk before and after applying controls is what this is about. Inherent risk is the level of risk that exists before any safeguards or mitigations are put in place—the exposure you face given the business processes, data value, and threat landscape. Residual risk is what’s left after you implement controls, safeguards, and procedures; it’s the remaining exposure that still needs to be managed, monitored, or accepted within the organization’s risk tolerance. In practice, you start with inherent risk to understand the potential magnitude, then apply controls to reduce it, with residual risk reflecting what remains after those controls are in place. This residual risk should align with the organization’s risk appetite, acknowledging that some risk will always remain. The other statements don’t fit because inherent risk is not the risk after controls, they’re not the same, and residual risk isn’t limited to IT systems.