I have found in my PMP and PMI-RMP classes, often candidates need more clarity on these two topics as these terms almost seem to be similar. This urged me to write this post.
On a daily basis, we run into so many risks in our life. We struggle, we panic, we try not to take any overt risks, we try to avoid them, but risks are inevitable. They eventually find their way into our lives. The same stands for business organizations.
As per PMBOK® Guide, apart from the Primary Risks — which are uncertain events or condition that may have impacts (either positive or negative) on the project objectives if occur, there are also Secondary risks and Residual risks.
Secondary risks are defined as Risks which arise as a direct outcome of implementing a risk response. Since every activity involves risks — the risk responses themselves are no exception, implementation of a risk response will result in new risks for the project.
Sometimes Secondary risks may be more significant than the Primary risks if we are not careful. In other words, attempts to manage risk can potentially result in an overall increase in risk.
For this reason, Secondary risks are also evaluated for their severity. They may or may not need a response plan depending on their impact on the project objective. If the impact is high, you will create a response plan; if it is negligible, you will just keep them on the watch list.
Residual risks are those risks which are expected to remain after the planned response of risk has been taken, as well as those that have been deliberately accepted without any risk responses (maybe the cost for the risk response is more than the cost of dealing with it or for those risk for which you have no control)
Residual risks are the leftover risks, the minor risks that remain.
Again in case of Residual Risk, you will ensure that each residual risk is evaluated properly. If you see that there is no action required, you will keep them on the watch list. However if they require any action, you must reduce the probability or impact of the risk.
Now let’s understand these two terms with few examples:
Example: Let’s say you are planning an outdoor annual event. Because there is a chance of rain, you decide to mitigate the risk of the employees getting wet and not having fun by putting up a tent. So in this case, Secondary Risk will be that someone will trip over the tent poles and get injured. There is still some residual risk that the employees will get wet walking from the parking lot to the tent.
Another example: Let’s say you are building a home and you found a supplier to provide you bricks. You have a risk that they do not deliver the bricks on delivery date. You decided the action you will take up if this were to occur is to procure the bricks from a different supplier. This is your response plan. You mitigated dramatically the Risk of not having enough bricks on time, but on the other hand you generated Secondary Risk – Bricks supplied by different supplier may not be of same quality, size, material, manufacturing process and so on. So this is the Secondary Risk which you can Avoid, Mitigate, or even Accept. It’s your decision. Residual Risk in this case can be that the Supplier Company may go bankrupt and as a result fail to deliver. For this Risk, you don’t have any control. So for this kind of Risk, you just need to monitor.
Risk management is an integral component of project management. Risk management includes identifying, analyzing and monitoring all these types of Risks throughout the project by the project manager. Project Managers are, however, trained in risk management to ensure that risks are kept to a minimum in their projects. It requires project managers to think out of the box and not take the same route again.
Residual and secondary risks are identified risks and you will create the response for each of them (if required). If any of these risks do not require a response plan, you will keep them on a watch-list for future monitoring. You will use the contingency reserve to manage these risks.