Secondary Risks and Residual Risks
Secondary risks are new risks that arise as a direct result of implementing a risk response. Residual risks are risks that remain after planned responses have been implemented, including minor risks that were deliberately accepted.
Explanation
When a risk response is executed, it may inadvertently create new risks. These new risks, called secondary risks, must be identified, analyzed, and managed just like any primary risk. For example, if the team transfers a risk by outsourcing a component to a vendor, a secondary risk might emerge: the vendor may not meet quality standards. This secondary risk needs its own response strategy.
Residual risks are the risks that persist after all planned responses have been applied. No risk response eliminates all exposure entirely (except avoidance, which eliminates the specific risk). Mitigation reduces probability or impact, but some level of risk remains. This residual risk should be documented, communicated to stakeholders, and may require contingency reserves.
Both secondary and residual risks must be recorded in the risk register and monitored throughout the project. They should go through the same qualitative and quantitative analysis processes as primary risks. Failure to account for secondary and residual risks can lead to underestimating the project's true risk exposure.
Key Points
- •Secondary risks arise from implementing a risk response
- •Residual risks remain after planned responses are executed
- •Both must be documented in the risk register and managed like primary risks
- •Contingency reserves may be needed for accepted residual risks
Exam Tip
A classic exam question: "A new risk emerged after implementing a response." This is a secondary risk. Know the difference between secondary (caused by the response) and residual (remaining after the response).
Frequently Asked Questions
Related Topics
Mitigate (Risk Strategy)
Mitigate is a threat response strategy that reduces the probability of occurrence and/or the impact of a threat to within acceptable limits. The risk is not eliminated but brought to a manageable level.
Plan Risk Responses
Plan Risk Responses is the process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure and to treat individual project risks.
Monitor Risks
Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.
Risk Register
The risk register is a project document that records the details of individual project risks, including their identification, analysis results, response plans, and current status.
Test your knowledge
Practice scenario-based questions on this topic with detailed explanations.