In what situation would residual risk be deemed unacceptable?

Residual risk is considered unacceptable when it exceeds initial risk levels because this indicates that the measures taken to mitigate risks have not effectively reduced the risk to a desirable level. The goal of implementing controls and risk management strategies is to lower risk, and if the residual risk is higher than what it originally was, it suggests that either the controls are ineffective or additional risks may have been introduced.

When assessing risk management effectiveness, organizations typically set a benchmark for acceptable risk levels. If the remaining risk after control measures have been applied is greater than the levels identified as acceptable, this represents a failure to adequately protect against potential threats, requiring further action to rectify the situation.

The other scenarios do not present a direct measure of unacceptability: constant residual risk may suggest that the current controls are stable but not necessarily adequate, no controls in place would suggest a different risk assessment approach, and lower residual risk than acceptable reflects a situation where tasks are successfully managed within risk tolerance.