Intro to Project Management: Project Risk Management - Residual vs. Secondary Risks

What This Is

Residual and secondary risks are two types of risks that project managers need to identify, assess, and mitigate to ensure successful project delivery. Residual risks are the risks that remain after all identified risks have been addressed, while secondary risks are new risks that arise from the implementation of risk responses. Understanding the difference between these two types of risks is crucial for effective risk management.

For example, consider a project to build a new highway. The project manager identifies risks such as inclement weather, labor shortages, and material delays. After implementing risk responses, such as hiring additional labor and using weather-resistant materials, the project manager realizes that there is still a risk of accidents on the highway due to the new design. This is a residual risk. However, during the construction process, the project manager discovers that the new design also creates a risk of increased traffic congestion in the surrounding area. This is a secondary risk.

Key Terms & Formulas

• Residual Risk: The risk that remains after all identified risks have been addressed.
• Secondary Risk: A new risk that arises from the implementation of risk responses.
• Risk Matrix: A tool used to categorize and prioritize risks based on their likelihood and impact.
• Risk Register: A document that tracks and monitors risks throughout the project.
• Risk Response: A plan to mitigate or manage a risk.
• Risk Tolerance: The level of risk that an organization is willing to accept.
• Risk Appetite: The level of risk that an organization is willing to take on.
• Expected Monetary Value (EMV): The expected value of a risk, calculated as the product of the probability and impact of the risk.
• EMV = P × I (Expected Monetary Value = Probability × Impact)
• Sensitivity Analysis: A technique used to analyze how changes in assumptions affect the project's outcome.

Step-by-Step / Process Flow

1. Identify Risks: Use tools such as the risk matrix and risk register to identify potential risks.
2. Qualify Risks: Assess the likelihood and impact of each risk to determine its level of risk.
3. Plan Responses: Develop a risk response plan to mitigate or manage each risk.
4. Monitor Risks: Continuously monitor risks throughout the project and update the risk register as necessary.
5. Review and Update: Review and update the risk register regularly to ensure that the risk management plan remains effective.

Common Mistakes

• Mistake: Failing to identify residual risks after implementing risk responses.
• Correction: Continuously monitor risks and update the risk register to ensure that all risks are addressed.
• Mistake: Confusing secondary risks with residual risks.
• Correction: Distinguish between secondary risks, which arise from the implementation of risk responses, and residual risks, which remain after all identified risks have been addressed.
• Mistake: Failing to consider the impact of secondary risks on the project.
• Correction: Continuously monitor the project for secondary risks and update the risk management plan as necessary.

Exam Tips

• Tip: Be able to distinguish between residual and secondary risks.
• Tip: Understand the importance of risk tolerance and risk appetite in risk management.
• Tip: Be familiar with the risk matrix and risk register tools.

Quick Practice Questions

1. If a project manager identifies a risk of inclement weather and implements a risk response by hiring additional labor, what type of risk is the risk of accidents on the highway due to the new design? Answer: Residual risk. Explanation: The risk of accidents on the highway is a residual risk because it remains after the project manager has addressed the risk of inclement weather.
2. If a project manager discovers a new risk of increased traffic congestion in the surrounding area due to the new design, what type of risk is this? Answer: Secondary risk. Explanation: The risk of increased traffic congestion is a secondary risk because it arises from the implementation of the risk response to the risk of inclement weather.
3. If a project manager has a risk tolerance of 10% and a risk appetite of 20%, what does this mean for the project? Answer: The project manager is willing to accept a higher level of risk than the organization is willing to tolerate. Explanation: The project manager's risk appetite is higher than their risk tolerance, which means they are willing to take on more risk than the organization is willing to accept.

Last-Minute Cram Sheet

• Residual Risk: The risk that remains after all identified risks have been addressed.
• Secondary Risk: A new risk that arises from the implementation of risk responses.
• Risk Matrix: A tool used to categorize and prioritize risks based on their likelihood and impact.
• Risk Register: A document that tracks and monitors risks throughout the project.
• Risk Response: A plan to mitigate or manage a risk.
• Risk Tolerance: The level of risk that an organization is willing to accept.
• Risk Appetite: The level of risk that an organization is willing to take on.
• Expected Monetary Value (EMV): The expected value of a risk, calculated as the product of the probability and impact of the risk.
• EMV = P × I (Expected Monetary Value = Probability × Impact)
• Sensitivity Analysis: A technique used to analyze how changes in assumptions affect the project's outcome.
• Residual Risk-Secondary Risk: Understand the difference between residual and secondary risks.
• Risk Tolerance-Risk Appetite: Understand the difference between risk tolerance and risk appetite.
• Risk Matrix-Risk Register: Understand the difference between the risk matrix and risk register tools.