After you have determined the security problem, identified the threats and vulnerabilities, performed a cost analysis to identify your budgetary constraints, and applied all safeguards and countermeasures, then you have reached what is called a Residual Risk level of security.

When this acceptable risk level has been met, you should have your security policy formally authorized.

Remember: as long as you have one or more PCs connected to a network, you will never achieve a zero risk level.