Residual Risk and UAT

Answer: The residual risk does not change from the original identified risk if an organization decides not to mitigate, avoid or transfer the risk (this option is called "retain the risk"). Depending upon the organization's context, there can be many risks relate to not performing an User Acceptance Testing, like:
- Functionality does not work or does not fulfil user's requirements in live environment.
- User's requirements are fulfilled but the output is not what is expected (information integrity problem) (may mean improper specification definition)

For both, the major impact is that the system probably will not be accepted by the client.

This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

This article will provide you further explanation about system testing:
- How to set secu rity requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/