Does “residual risk” need to be identified and documented at the same time as the demonstration of elimination or minimization of an identified risk to impartiality?
STANDARD: ISO/IEC 17011 · CLAUSE: 4.4.7&4.4.8 · TOPIC: Impartiality
It is required that when a risk is identified, the AB reacts upon it, to eliminate or minimize it. If a risk is sufficiently low, it can also be directly accepted without elimination or mitigation. If a risk is eliminated, no residual risk should remain, but if a risk is minimized, a residual risk always remains.
It is this residual risk arising from the mitigation that needs to be documented, and this is required to be done before its review (§.4.4.8) and acceptance to occur.