We all face risks on a daily basis. We might panic, or try not to take any overt risks, and even try to avoid them, but risks are inevitable; they eventually find their way into our lives. The same goes for business organizations. A risk is defined as “the exposure to the chance of injury or loss - a hazard or dangerous chance.”
The PMBOK® Guide defines risk as “An uncertain event or condition that, if it occurs, has a positive or negative effect upon at least one project objective.” A risk does not necessarily always harm a project. A project may also obtain a positive outcome from a risk event. The PMBOK Guide also states that Risk Management is one of the ten knowledge areas where a project manager should be competent.
Project Managers are trained in risk management to ensure that risks are kept to a minimum in their projects. This means project managers need to be able to think outside the box and not take the same route again. Risk Management is “the process of identifying, analyzing, and responding to risk factors throughout the life of a project in the best interest of its objectives.”
What Types of Risks Are There?
Aside from the primary risk inherent in any project, activities may also involve secondary and residual risks. Let’s take a look at residual vs. secondary risk.
What Are Secondary Risks?
The PMBOK Guide defines secondary risks as “those risks that arise as a direct outcome of implementing a risk response.” In other words, you identify risk and have a response plan in place to deal with that risk. Once this plan is implemented, the new risk that may arise from the implementation - that’s a secondary risk.
A response plan is created depending on the impact of these risks on a project. A high impact risk will require a response plan, whereas if the risk seems negligible, it will only be watched by managers.
As an example, imagine you are the project manager for a construction project. From past experience, you know that one main risk that you may face is that the sand supplier may not deliver on time. In the risk management plan you create, you have already accounted for this risk. The action you will take if this were to occur could be to procure the sand from a different supplier. A potential risk that you may encounter is that there may be differences in the sand provided by the first and second supplier, which would then be a secondary risk.
What Are Residual Risks?
Residual risks are the leftover risks, the minor rin. The PMBOK Guide defines residual risks as “those risks that are expected to remain after the planned response of risk has been taken, as well as those that have been deliberately accepted.”
Residual risks are acceptable to the organization’s risk tolerance level—or, in some cases, a residual risk has no reasonable response. Managers simply accept them the way they are. If it has to happen, it will happen, and it isn’t much you can do about it.
These risks are identified during the process of planning. A contingency reserve is set up to manage risks such as these.
Organizations should address residual risks by:
- Identifying relevant governance, risk, and compliance requirements
- Acknowledging existing risks
- Determine the organization's control framework's strengths and weaknesses
- Define the organization's appetite
- Plan for appropriate contingencies
For example - Constructing a dam is among the riskiest projects possible. Obvious risks to the success of the project involve poor quality of material used, improper technique used, poor skill of labour, improper identification of an ideal work site, geographical factors, and many more. These risks stand out as obvious factors that can stall the project. So obviously, the manager will solve the problem by ensuring that these risks are mitigated. But there still remains certain leftover or residual risks. These include worker strikes, natural calamities, or even the outbreak of war. The concept of residual risk exists in every project conceivable.
Why is Residual Risk Calculation Important?
Calculating residual risk ensures that the project has security controls implemented in the event of a sudden calamity. It is also a mandatory aspect of certification by the International Organization of Standardization.
How to Calculate Residual Risk?
The classical residual risk calculation formula:
Residual risk = Inherent risk – the impact of risk controls
Let’s consider an example to understand the formula better. Going back to the previous example of Dam construction, the organization understands that there is a risk of heavy rainfall in the area, which will push the dam's capabilities to its limits with a possibility of catastrophic failure. They estimate that the risk to the project rests at $12 million. This amount is calculated assuming no measures are taken to mitigate the risk. Now to avoid that, they put risk mitigation into full effect by performing maintenance checks, drilling the workforce on site, and renovating and repairing the structure. The overall cost of this operation will be $8 million.
By using the formula for residual risk, we find out that,
Residual risk = $12 million - $8 million = $4million
This indicates that after all risk mitigation efforts, the residual risks to the project amounted to $4 million.
How is Residual Risk Managed?
This begs the question: how do you manage residual risk? Let's look at some of the standard techniques that are used:
As silly as it may sound, if the possibility of triggering a risk factor is very low, the organization may decide to take the call and do nothing about it. If the cost of residual risk is negligible, the organization may resort to doing nothing about it.
Update existing control factors
If the residual risk is not below an acceptable level, the organization may update existing protocols and control measures to decrease the risk to a reasonable level further.
Evaluation of risk mitigation cost to residual risk cost
If the level of residual risk still hovers above acceptable levels, there is one last option the organization may look to. They can weigh the cost of risk mitigation and the residual risk cost to the project and take a call as to whether it is feasible to reduce risks further.
What’s the Difference Between Secondary and Residual Risks?
The table below compares and contrasts these risks:
|Those risks which arise as a direct outcome of implementing a risk response
|Those risks which are expected to remain after the planned response of risk has been taken, as well as those that have been deliberately accepted
|Not always – depends
|Action to take
|Creation of a response plan
|A contingency plan
|Putting out a trap for an animal in your field but a member of the family getting caught in it instead
|You end up attending the meeting remotely
Here's the video of our course on Introduction To PMP Certification Training.
Understanding how to identify and manage risk is a part of everyone’s life. For an aspiring project manager, learning how to distinguish and plan for different types of risks will help you more efficiently manage resources and time.
If you are considering working toward your PMP exam, Simplilearn offers a variety of project management courses that will help you pass, including PMI-RMP® training. Our PMP training courses are conducted by certified, highly experienced professionals.
Simplilearn’s PMP® Certification Training or Post Graduate Program in Project Management help project manager candidates get the education they need—not only to pass certification exams but also real-world knowledge useful for any project management career.
PMBOK is a registered trademark of the Project Management Institute, Inc.