Residual risk
Even after mitigation, some risk remains. That remaining risk is residual. Document it explicitly — sponsors need to know mitigation reduced the risk, not eliminated it. "Mitigated to 30% probability with $X spent" is honest; "mitigated" alone is misleading.
Secondary risks
Your response can create new risks. Hiring a backup vendor to mitigate vendor failure introduces a new risk: vendor coordination overhead. Outsourcing security review reduces compliance risk but introduces dependency on the auditor's timeline. Track secondary risks in the same register — they're first-class risks now.
↳ contingency vs management reserve
Risk-adjusted estimates
Expected Monetary Value (EMV) = probability × impact (in dollars). Sum across all risks for the contingency reserve target. A 30% chance of a $100K hit = $30K reserved. Not all risks need this calc — apply to high-impact items where the number actually informs the decision.