Residual risk is the risk that remains after the implementation of risk responses. An effective risk management program should aim to reduce the residual risk to a level that is acceptable by the enterprise, in alignment with its risk appetite and tolerance. The reduction of residual risk indicates that the risk responses are appropriate and effective, and that the enterprise is achieving its objectives while managing its risks. The other options are not necessarily indicative of an effective risk management program, as they may depend on other factors, such as the reporting culture, the audit scope and methodology, and the nature and source of the inherent risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.3.1, pp. 24-25.