Residual Risk vs Secondary Risk
We run into risks on a daily basis. We panic, we try not to take any overt risks, we try to avoid them, but risks are inevitable. They eventually find their way into our lives. The same goes for business organizations. A risk is defined as "the exposure to the chance of injury or loss - a hazard or dangerous chance". The PMBOK® Guide defines a risk as, "An uncertain event or condition that, if occurs, has a positive or negative effect upon at least one project objective." A risk does not necessarily always harm a project. A project may also obtain a positive outcome from a risk event.
Preparing for PMP® Certification? Take this test to know where you stand!
Project Managers are, however, trained in risk management to ensure that risks are kept to a minimum in their projects. It requires project managers to think out of the box and not take the same route, again. Risk Management is "the process of identifying, analyzing, and responding to risk factors throughout the life of a project in the best interest of its objectives". The Project Management Institute's PMBOK® Guide states that for a project manager, Risk Management is one of the ten knowledge areas to be competent in.
Types of Risks
Aside from the primary risk inherent in any project, activities may also involve secondary and residual risks.
The PMBOK® Guide defines Secondary Risks as "those risks that arise as a direct outcome of implementing a risk response". In simple terms, you identify a risk and have a response plan in place to deal with that risk. Once this plan is implemented, the new risk that may arise from the implementation is called a secondary risk.
A response plan is created depending on the impact of these risks on a project. A high impact risk will require a response plan, whereas if the risk seems negligible, it will only be watched by managers.
Consider an illustration: you put in a trap for a wild animal that has been coming to your garden at night and destroying it. However, there is a chance that a member of your family or a guest at your house might get caught in this trap.
Or, assume you are the manager for a construction project. From past experience, you know that one main risk that you may face is that the sand supplier may not deliver on time. In the risk management plan you create, you have already accounted for this risk. The action you will take up if this were to occur is to procure the sand from a different supplier. A potential risk that you may encounter is the difference in the sand, provided by the first and second supplier, which would then be a secondary risk.
Residual risks are the leftover risks, the minor risks that remain. The PMBOK® Guide defines Residual Risks as "those risks that are expected to remain after the planned response of risk has been taken, as well as those that have been deliberately accepted".
They are acceptable to the organization's risk tolerance level. Sometimes a residual risk has no reasonable response either. Managers simply accept them the way they are. If it has to happen, it will happen, and there isn't much you can do about it.
These risks are identified during the process of planning. A contingency reserve is set up to manage risks such as these.
Organizations should address residual risks by:
- Identifying the relevant governance, risk, and compliance requirements.
- Acknowledging existing risks.
- Determine the organization's control framework's strengths and weaknesses
- Define the organization's appetite.
- Plan for appropriate contingencies
For instance, you may have established a risk of rain that may last an hour or two and which may disrupt some of your planned meetings. To manage this risk, you have scheduled your other meetings with a buffer of couple of hours. So that even if it rains for 2 hours, your other plans are not disrupted.
This doesn’t eliminate the risk of your schedule getting messed up, but only lowers the risk. Whatever risk that still remains is termed “residual risk”. As an example, it is possible it continues to pour down, which disrupts your subsequent meetings. So the contingency plan (if the risk occurs) could be that you attend the meeting remotely, over phone.
This may lead to another risk that your presence during the meeting may not be as effective or impactful had there been no rain and you were present in person. This is secondary risk.
|Secondary Risks||Residual Risks|
|Definition||Those risks which arise as a direct outcome of implementing a risk response||Those risks which are expected to remain after the planned response of risk has been taken, as well as those that have been deliberately accepted|
|Action Required?||Yes||Not always – depends|
|Action to take||Creation of a response plan||A contingency plan|
|Example||Putting out a trap for an animal in your field but a member of the family getting caught in it instead||You end up attending meeting remotely|
PMBOK is a registered trademark of the Project Management Institute, Inc.
About the On-Demand Webinar
About the Webinar