img img
Practice Exams:
View All
  • Home
  • Understanding the Difference Between Residual Risk and Secondary Risk in Project Management

Understanding the Difference Between Residual Risk and Secondary Risk in Project Management

In every aspect of life, risks are a constant. From making simple daily decisions to undertaking complex business projects, risks shape the outcomes of our choices. While we often try to avoid them, risk is inevitable and, in many cases, it may not be possible to fully avoid or eliminate it. This is particularly evident in the world of project management, where the success or failure of a project can be influenced by various internal and external factors. Understanding the nature of risks, how to manage them, and how to respond when they arise is fundamental to the discipline of project management.

Risk, by definition, is the exposure to the chance of injury, loss, or any form of potential harm. It can be considered a hazard or a dangerous chance that may negatively impact the progress of a project. However, it’s important to recognize that risk doesn’t always mean something bad will happen. Risks may present opportunities for positive outcomes as well. In the context of project management, risks are usually described as uncertain events or conditions that, if they occur, have an impact, positive or negative, on the objectives of a project.

In the PMBOK Guide (Project Management Body of Knowledge), risk is explicitly defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect upon at least one project objective.” This illustrates the dual nature of risk—it can either threaten the success of a project or create an opportunity for achieving project goals more effectively. The PMBOK® Guide emphasizes that risk management is a vital knowledge area for project managers, underscoring the importance of effective planning and responsiveness to unforeseen events throughout the lifecycle of a project.

In the project management process, Risk Management refers to the systematic process of identifying, analyzing, and responding to risk factors throughout the project life cycle. The goal is to minimize the impact of negative risks and maximize the positive impact of any opportunities. Risk management involves strategic decision-making, and project managers must maintain flexibility, adapt to new challenges, and adjust the course of action when necessary.

The Importance of Risk Management

One of the primary reasons risk management is a crucial part of project management is its potential to significantly influence the overall success of a project. Without an adequate risk management strategy, a project is at risk of unforeseen challenges that could derail its progress, increase costs, or lead to the failure of key deliverables. Project managers are expected to have the expertise to manage risks and to create plans to mitigate or avoid risks when possible. These strategies can have a profound impact on achieving project objectives within the constraints of scope, time, cost, and quality.

Risk management in project management isn’t just about preventing harm. It also focuses on recognizing potential opportunities that could improve the project’s outcome. By anticipating and managing risks effectively, project managers can ensure that their projects meet or exceed the defined objectives. Moreover, risks are inherent in every phase of the project lifecycle, and thus risk management should be integrated into each step, from the planning phase to project execution and final delivery.

The complexity and uncertainty inherent in large-scale projects make risk management even more important. For example, in the construction industry, risks may arise due to fluctuations in material costs, environmental conditions, or workforce issues. In software development, risks might involve changes in technology, unexpected technical issues, or evolving customer requirements. By proactively identifying potential risks and preparing for them, project managers can ensure that their projects remain on track and resilient to challenges.

Types of Risks in Project Management

Risk management is not a one-size-fits-all approach; different projects have different types of risks. These risks can be classified into several categories, including:

  1. Internal Risks: These are risks that arise from within the project or the organization. Examples include scope changes, resource shortages, or personnel issues. 
  2. External Risks: These are risks that arise from factors outside the project. These may include market fluctuations, regulatory changes, or natural disasters. 
  3. Technical Risks: These risks pertain to the technology being used in the project, such as unanticipated software bugs or hardware failures. 
  4. Operational Risks: These involve risks related to the operations of the project, such as supply chain disruptions or logistical challenges. 
  5. Financial Risks: These risks involve budget constraints, unexpected cost increases, or the financial instability of stakeholders. 

Understanding the different types of risks and their potential impact is essential for effective risk management. Project managers must identify these risks early in the project and develop strategies to manage them. This approach is crucial for ensuring that risks do not lead to project failure, but rather to successful project delivery.

The Role of a Project Manager in Risk Management

The project manager plays a central role in risk management. A project manager must not only identify and assess risks but also develop and implement effective responses to them. These responses can include risk avoidance, mitigation, transfer, or acceptance. Moreover, the project manager must ensure that there is ongoing monitoring of risks throughout the project’s lifecycle to adjust the response strategies as new risks arise.

Project managers are expected to work collaboratively with stakeholders, team members, and other departments to identify risks. A risk management plan is typically created as part of the project planning phase, which outlines the potential risks, their likelihood, impact, and the strategies to mitigate or manage them. However, risk management doesn’t stop there. Project managers must continuously monitor risks, communicate with stakeholders about changes, and make adjustments to the plan as necessary.

The ability to anticipate risks and effectively manage them is one of the key competencies that define successful project managers. This skill set enables project managers to protect their projects from potential pitfalls, ensuring that they remain on track and that any risks that do arise are addressed promptly and appropriately.

Secondary Risks and Residual Risks

In project management, understanding the different types of risks is essential for effective planning and decision-making. As we discussed in Part 1, risk management involves the identification, analysis, and response to various uncertainties that could impact a project. While some risks are straightforward and can be directly mitigated or avoided, others give rise to new challenges once a response plan is implemented. These new challenges are referred to as secondary risks and residual risks. Both play a critical role in the overall risk management process and require distinct strategies for handling them.

What Are Secondary Risks?

The PMBOK Guide defines secondary risks as those risks that arise as a direct consequence of implementing a risk response plan. In other words, once a project manager identifies a primary risk and formulates a plan to address it, the execution of that plan can sometimes give rise to new risks. These new risks are referred to as secondary risks. While these risks are born from the actions taken to mitigate primary risks, they still have the potential to affect the project’s objectives and, therefore, need to be managed appropriately.

Example of Secondary Risks

Imagine a project manager in charge of a software development project. One identified risk is the potential for system downtime during a software update. To mitigate this risk, the manager may decide to schedule the update during off-peak hours to minimize disruption. However, the decision to update during off-peak hours introduces a secondary risk: the possibility of key personnel not being available if issues arise during the update. This secondary risk was created by the response plan to mitigate the primary risk of system downtime.

Similarly, in construction projects, a primary risk might involve delays in the delivery of raw materials. To manage this risk, the project manager might decide to source materials from an alternative supplier. However, this decision could lead to a secondary risk if the quality of the new supplier’s materials is lower than expected, potentially affecting the quality of the final product.

Managing Secondary Risks

Managing secondary risks is crucial because, like primary risks, they can have negative effects on the project. The project manager must assess the secondary risks in terms of their likelihood and impact, just as they did with primary risks. The response strategy for secondary risks often involves creating contingency plans to address these new challenges should they arise.

It is important to note that not all secondary risks require a major response. For low-impact secondary risks, the project manager may decide to monitor the situation closely, keeping the team informed and ready to act if the risk materializes. In other cases, secondary risks may require more detailed risk responses, such as allocating additional resources or adjusting the project timeline.

What Are Residual Risks?

Residual risks refer to the risks that remain after all efforts to mitigate or avoid primary risks have been implemented. These risks are either accepted as unavoidable or considered so minor that no further response is warranted. Essentially, residual risks are the leftover risks that cannot be eliminated or addressed through mitigation efforts. They are the risks that are accepted as part of the project, and the project manager may choose to manage them by setting aside a contingency reserve.

Example of Residual Risks

Consider a construction project in a region prone to heavy rainfall. One of the primary risks identified is the potential for flooding, which could damage the construction site. To mitigate this, the project manager implements measures such as elevating the site, building drainage systems, and reinforcing structures. Despite these measures, the possibility of heavy rainfall leading to flooding still exists. The risk of flooding, after all mitigation efforts, remains a residual risk.

Another example of residual risk might involve the risk of worker injuries on a factory floor. Even after implementing strict safety protocols and training, there remains a low probability that an accident might still occur. This residual risk is accepted by the organization, as the likelihood is deemed sufficiently low and the cost of further mitigation is not considered worthwhile.

Managing Residual Risks

Residual risks are an inevitable part of every project. In many cases, they are minor risks that do not justify further mitigation efforts. However, project managers need to be aware of these risks and ensure that they are appropriately documented in the project’s risk management plan.

There are several strategies that organizations use to manage residual risks:

  1. Acceptance: The most common approach to managing residual risks is to accept them. If the residual risk is deemed to be within the organization’s risk tolerance, no further action may be taken. In this case, the project manager acknowledges the risk but does not allocate additional resources to address it. 
  2. Contingency Planning: For some residual risks, the project manager may decide to create a contingency plan. This is typically done when the residual risk still carries a certain level of concern. A contingency reserve may be set up to handle any unforeseen events that could arise due to these residual risks. 
  3. Monitoring: Even after mitigation measures are in place, it is essential to continue monitoring residual risks. The project manager should track the status of these risks throughout the project’s lifecycle to ensure that they do not escalate into more significant issues. 
  4. Reviewing Risk Tolerance: Residual risks may be reassessed during the project’s lifecycle, especially if new information or changes in the project environment occur. If residual risks become more likely or impactful, the project manager may need to adjust the response strategies accordingly. 

The Difference Between Secondary and Residual Risks

While both secondary and residual risks are common in project management, they have distinct characteristics that set them apart. The key difference lies in their origin and how they are managed:

  1. Origin: Secondary risks arise as a direct result of implementing a risk response plan for a primary risk. Residual risks, on the other hand, are the remaining risks after all mitigation measures for primary risks have been applied. 
  2. Management: Secondary risks require new risk response plans to address the issues created by mitigating primary risks. Residual risks, however, are typically accepted or managed through contingency planning. In some cases, they may be low-impact risks that do not require immediate attention. 
  3. Nature of Risk: Secondary risks are typically the unintended consequences of risk responses, while residual risks are the risks that remain despite efforts to eliminate or reduce the primary risks. 

Project managers need to understand these differences because each type of risk requires a unique approach to management. Secondary risks often require proactive planning and quick responses, while residual risks are often passive and may only need monitoring or acceptance.

The Importance of Understanding Secondary and Residual Risks

Understanding secondary and residual risks is vital for project managers because they are an inherent part of any project. By carefully considering and addressing these risks, project managers can ensure that their projects are better prepared for potential challenges, minimizing the likelihood of unexpected setbacks and delays.

Calculating and Managing Residual Risks

After identifying and responding to primary and secondary risks, residual risks remain a significant consideration in the project management process. While these risks are often accepted as part of the project’s lifecycle, it is still essential for project managers to evaluate and manage them carefully. Residual risk, defined as the remaining risk after all mitigation strategies have been implemented, is an unavoidable aspect of every project. The process of calculating residual risk and managing it effectively ensures that a project can continue to operate smoothly and respond to unforeseen challenges. This section will focus on how to calculate residual risks, why it is important, and the strategies used to manage them.

Understanding Residual Risk Calculation

Residual risk is calculated using a relatively simple formula, but it plays a critical role in assessing the project’s overall risk exposure after mitigation efforts. The formula used for calculating residual risk is:

Residual Risk = Inherent Risk – Impact of Risk Controls

This formula compares the inherent risk (the level of risk that exists before any mitigation measures are applied) to the effectiveness of the mitigation actions taken. In essence, it measures how much of the original risk remains after all risk controls have been applied.

Example of Residual Risk Calculation

Let’s revisit the dam construction project mentioned earlier. The inherent risk for the project is the possibility of catastrophic flooding due to heavy rainfall, which could cause severe damage to the dam and surrounding infrastructure. The estimated cost of this risk, if it were to occur, is $12 million. This figure represents the inherent risk—what would happen if no measures were taken to mitigate the risk.

To address this risk, the project team implements several risk control measures, such as reinforcing the dam structure, enhancing the drainage system, and monitoring weather conditions more closely. These efforts are expected to reduce the impact of flooding but are not guaranteed to prevent it entirely. The cost of implementing these mitigation measures is $8 million.

Using the formula, the calculation of residual risk would be:

Residual Risk = $12 million (Inherent Risk) – $8 million (Impact of Risk Controls) = $4 million

Thus, the residual risk is $4 million. This amount represents the risk that still exists after mitigation efforts have been applied. It is the amount of risk the project is left with, and it must be managed accordingly.

This calculation provides a quantitative way to understand the remaining exposure to risk, which is crucial for effective decision-making. If the residual risk is deemed unacceptable, additional measures may need to be considered. However, if the residual risk is within acceptable levels, the project can proceed with confidence.

Why Residual Risk Calculation Is Important

Calculating residual risk is essential for several reasons. First, it helps project managers understand the overall exposure to risk after implementing mitigation strategies. By calculating residual risk, managers can make informed decisions about whether further mitigation is necessary or if the project can proceed as planned.

Second, residual risk calculation is an important part of risk reporting. Stakeholders, including investors, project sponsors, and senior management, will want to know how much risk remains after all mitigation efforts. This allows them to assess whether the project is worth pursuing and whether the remaining risk is acceptable.

Third, calculating residual risk ensures that appropriate contingency plans are in place. If the residual risk is significant, the project manager may need to set aside additional resources or time to address any unforeseen issues that arise. For example, in the dam construction project, if the residual risk of flooding is high, the project team may decide to allocate more funds for emergency preparedness or invest in additional safety measures.

Lastly, residual risk calculation is often a requirement for compliance with industry standards or certifications. For example, organizations that adhere to international standards like ISO (International Organization for Standardization) often need to calculate residual risk and demonstrate that appropriate controls are in place to manage it. This ensures that the organization has taken all reasonable steps to reduce risks and is prepared for any contingencies.

Strategies for Managing Residual Risks

Once residual risks have been calculated, project managers need to adopt strategies for managing them. While some residual risks may be accepted, others may require further mitigation, contingency planning, or ongoing monitoring. Here are some common strategies used to manage residual risks:

1. Risk Acceptance

The simplest way to manage residual risk is through acceptance. If the residual risk is deemed to be low or within the organization’s risk tolerance, the project manager may choose to accept it. Acceptance means that the project manager acknowledges the risk but does not take additional actions to mitigate it further. This approach is typically used for risks that are unlikely to occur or for those that have minimal impact on the project’s objectives.

For example, a software development project may have a residual risk related to the possibility of a minor bug appearing in the final product. Given that the likelihood of this happening is low and the impact would not significantly affect the overall product, the project manager may choose to accept this residual risk.

2. Contingency Planning

In some cases, residual risks may require a contingency plan. A contingency plan outlines the actions that will be taken if the residual risk materializes. This plan ensures that the project is prepared to respond effectively if the risk occurs.

For example, in a construction project, residual risks such as unexpected weather conditions (e.g., storms or flooding) may still pose a threat despite mitigation measures. The project manager may prepare a contingency plan that includes additional resources, such as temporary workers, backup materials, or alternative construction methods, to handle the risk if it becomes a reality.

3. Risk Transfer

Another strategy for managing residual risk is risk transfer. This involves shifting the responsibility for the risk to another party, typically through insurance, outsourcing, or contractual arrangements. Risk transfer is a useful approach when the cost of managing the residual risk internally is high or when the risk is better handled by a third party.

For example, in a large infrastructure project, a project manager may transfer the risk of damage from natural disasters to an insurance company. By purchasing insurance, the organization ensures that it has financial protection in place in case a residual risk materializes.

4. Risk Avoidance

While risk avoidance is typically used for primary risks, it can sometimes be applied to residual risks as well. If the residual risk is deemed unacceptable or too costly, the project manager may adjust the project scope, timeline, or objectives to avoid the risk entirely.

For example, a project manager working on a technology development project may decide to avoid the risk of delayed software delivery by scaling back the features included in the initial release. By focusing only on the essential features, the team reduces the likelihood of delays and the impact of the residual risk.

5. Continuous Monitoring

Ongoing monitoring is a critical component of managing residual risks. Even after risk mitigation measures have been implemented, project managers should continuously track the status of residual risks. Monitoring allows the project team to stay informed about potential changes or developments that could affect the residual risks.

For example, if a residual risk is related to fluctuating market conditions, project managers should monitor the market regularly to ensure that any changes are identified early. This allows for timely adjustments to the project plan, minimizing the impact of the risk.

Residual risks are an unavoidable aspect of project management. While mitigation efforts can significantly reduce the impact of primary risks, some level of risk will always remain. Calculating and understanding these residual risks allows project managers to make informed decisions about whether to accept, mitigate, transfer, or avoid these risks. By applying appropriate strategies and maintaining effective monitoring, project managers can ensure that the project remains on track and resilient to challenges.

Distinguishing Between Secondary and Residual Risks

In the process of managing risks in project management, project managers need to distinguish between the different types of risks that may arise during the project lifecycle. Secondary and residual risks are two such categories that often overlap or cause confusion. While both refer to risks that occur after initial risk responses have been implemented, they have distinct characteristics that require different management approaches. Understanding the differences between secondary and residual risks is critical for effective risk management, as each type requires its own set of strategies for monitoring and mitigation.

Key Differences Between Secondary and Residual Risks

Although both secondary and residual risks are types of risks that remain after initial mitigation efforts, there are key differences between the two in terms of their origin, nature, and the response strategies required. Understanding these differences will help project managers allocate resources and apply the most appropriate management techniques.

Origin of the Risks

The most fundamental difference between secondary and residual risks lies in their origin.

  • Secondary Risks are those risks that arise as a direct result of the implementation of a risk response. When a primary risk is identified, a response plan is created to manage that risk. However, the execution of the response plan can sometimes trigger new risks. These newly identified risks are known as secondary risks. Essentially, secondary risks are the unintended consequences of risk responses. 
  • Residual Risks, on the other hand, refer to the remaining risks that persist after all mitigation strategies have been applied to manage primary risks. These risks are the leftover risks that cannot be completely eliminated through response plans. Residual risks are either accepted as part of the project or require minimal mitigation, and they generally fall within the organization’s risk tolerance levels. 

For example, in a construction project, a primary risk might involve a delay in material delivery. The response plan might be to source materials from a different supplier. However, this could result in a secondary risk of receiving subpar quality materials from the new supplier. The residual risk might involve the possibility that the materials still cause minor delays in the overall project, even though the supplier switch has been made.

Nature of the Risks

Secondary risks and residual risks also differ in terms of their nature and the level of control project managers have over them.

  • Secondary Risks typically arise from the actions taken to address other risks. They are often more specific to the mitigation response and can usually be tracked or monitored directly. Secondary risks tend to be more manageable because they are consequences of specific actions or decisions made to address a primary risk. 
  • Residual Risks, however, represent the risk that remains after all possible mitigation strategies have been exhausted. These risks may have no direct response plan, especially if they are deemed to be too minor or unlikely to occur. Residual risks are generally more difficult to manage because they are accepted as part of the project, and they may not always warrant further action. 

In other words, while secondary risks are more reactive and are directly linked to mitigating primary risks, residual risks are more passive and reflect the risks that remain despite efforts to mitigate all known issues.

Response Strategies

The strategies for managing secondary and residual risks are significantly different because of their distinct characteristics.

  • Secondary Risks require immediate attention as they result from the implementation of a risk response. When a secondary risk arises, the project manager needs to assess its impact and likelihood, and decide whether a new risk response is necessary. Secondary risks are often managed through updated response plans, corrective actions, or contingency strategies. These risks may require the same level of attention as primary risks, depending on their impact on the project’s objectives. 
  • Residual Risks, on the other hand, often do not require a significant response plan. If the risk is deemed to be minor or acceptable, the project manager may choose to accept it without further intervention. For residual risks that are deemed to have a larger impact, a contingency plan or monitoring may be put in place, but further mitigation efforts are generally not warranted. The key to managing residual risks is understanding the organization’s risk tolerance and deciding whether the remaining risk is acceptable within that framework. 

For example, if the secondary risk involves a supplier’s failure to meet quality standards after an alternative supplier was chosen, the response might be to find another supplier or to inspect the materials more thoroughly before they are used. However, if the residual risk involves the slight possibility of a minor delay due to unforeseen circumstances like weather, the project manager may simply accept it or put a contingency plan in place to manage the potential delay.

Monitoring and Reporting

The process of monitoring and reporting secondary and residual risks also differs.

  • Secondary Risks require ongoing monitoring because they are closely tied to the implementation of the risk response plans. Project managers should track these risks in real-time to ensure that they do not escalate or negatively impact the project. Monitoring secondary risks is critical to ensuring that the risk responses remain effective and that new risks are detected and managed promptly. 
  • Residual Risks are typically monitored less frequently. Once a residual risk is identified and accepted, it may not require as much attention unless its likelihood or impact increases. Residual risks are often reported as part of the overall risk assessment but do not usually warrant detailed tracking unless they begin to escalate. In some cases, residual risks are only reviewed during the project’s regular risk reviews or in response to specific incidents. 

Examples of Secondary and Residual Risks

Understanding these differences becomes clearer when considering real-world examples of secondary and residual risks in different industries.

Secondary Risks in Construction

In a construction project, a primary risk might involve the risk of delays due to bad weather. To mitigate this, the project manager might implement a plan to work longer hours or reschedule tasks. However, this response might create a secondary risk: worker fatigue from extended working hours could lead to lower productivity, injuries, or mistakes.

In this case, the secondary risk—worker fatigue—has arisen as a direct result of the risk response to manage the primary risk—bad weather. The project manager would then need to evaluate the severity of this secondary risk and develop a plan to manage it, such as ensuring workers take adequate rest breaks or hiring additional staff to alleviate the strain.

Residual Risks in Software Development

In software development, a primary risk might involve the potential for a system crash due to untested code. The project manager decides to implement a rigorous testing process to minimize this risk. After conducting the tests, the team finds and fixes most issues, but there remains a very low chance that a bug might cause a system failure during production.

This remaining risk, although small, is a residual risk. While the project has taken all possible steps to prevent a failure, the risk of an undetected bug still exists. The project manager may choose to accept this residual risk, considering it too unlikely to cause significant issues. A contingency plan might be developed to address the problem if it arises, but it is not actively managed unless necessary.

Conclusion

In summary, understanding the distinctions between secondary and residual risks is critical for effective project management. Secondary risks arise as a direct result of implementing a response to a primary risk, while residual risks are the remaining risks after all mitigation efforts have been applied. The two types of risks require different management approaches. Secondary risks are more active and often require immediate attention, while residual risks are typically accepted or monitored without the need for further intervention.

Project managers must be aware of both secondary and residual risks throughout the project lifecycle to ensure that all potential risks are properly accounted for and managed. By understanding these risks and applying the appropriate management strategies, project managers can help ensure the success of their projects and minimize any negative impact from unforeseen challenges.

 

Related posts:

  1. Are You a Real Project Manager? Here’s Why PMP Certification Matters
  2. Changes to the PMP Exam in 2015: What You Need to Know
  3. Comprehensive PMP Exam Preparation Guide – Detailed Syllabus and Duration Explained
  4. Course Spotlight – PMI Program Management Professional (PgMP)
  5. How Gemba Walks Improve Project Management Processes
  6. How to Upload PDUs and Breeze Through PMI’s Certification Process: A Comprehensive Step-by-Step Guide for Success
  7. Process Capability: How to Measure and Improve Performance Consistency in Your Project
  8. The Impact of PMP Certification on Salary and Career Opportunities in Project Management
  9. The Ultimate Toolset for Effective IT Management
  10. Top Risk Management Certifications to Elevate Your Career in 2025

Popular posts

Top Vendors On The IT Certification Market

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

Top 5 Agile Certifications You Should Pursue in 2020

Your Best Career Path With EC-Council Certification

Job Opportunities For MCSE Certification

First Day at a New IT Job: Do’s and Don’ts to Master Your New Role

Reasons To Get Microsoft MCSA Certification

What Should You Know About New Amazon AWS Certified Database – Specialty Exam?

Cisco CCAr: What’s the Point?

Top Security Certifications

Recent Posts

img