I have discussed risks and risk-related terms, including secondary risks and residual risks. But I see many professionals having issues with understanding these two risks.
They think residual and secondary risks are unknown risks and we use a fallback plan for them and use the management reserve if they occur.
Please understand this: residual and secondary risks are identified risks. You will carry out the contingency plan if any identified risk occurs and apply the fallback plan if it fails. In both cases, you will use the contingency reserve because it is for identified risks.
You will use the management reserve when any unidentified risk occurs.
Secondary Risks
A risk is an uncertain event and if it occurs it can affect your project objectives.
You will develop a risk response plan so you can either avoid or mitigate the impact. Often, this response can create a new risk. This new risk is a secondary risk.
According to the PMBOK Guide 6th edition, “secondary risks are those risks that arise as a direct result of implementing a risk response.”
Simply put, you have developed a response plan for risk and this caused a new one. This is known as a secondary risk.
Example of Secondary Risks
Let’s say you have excavated a trench to stop animals from walking through your land. However, during the night, a traveler passing by falls into the trench.
This is an example of a secondary risk.
If your response plan creates a secondary risk, you will analyze it and develop a risk response plan, if required.
If the impact is very low, you will keep it on the watch list.
Residual Risks
You have identified a risk and developed a response plan to manage this risk. However, this response plan does not completely remove the risk. The residue remains, which is called residual risk.
According to the PMBOK Guide 6th edition, “residual risks are those risks that are expected to remain after the planned responses of risks have been taken, as well as those that have been deliberately accepted.”
Example of a Residual Risk
Let’s say you have identified a risk that it may rain for one to two hours. Therefore, you have created a contingency plan to manage this risk.
But what will happen if the rain falls for more than two hours?
You will develop a fallback plan.
This is an example of residual risk.
As a project manager, you should ensure that residual risks are evaluated properly. If it is a low priority, you should keep it on the watch list. For high priority risks, you will develop a risk response plan to mitigate their impact.
Please note that for all risks, if the trigger hits, you will implement the response plan. This plan can be either a contingency or a fallback plan.
For a primary or secondary risk, you will implement the contingency plan, and for residual risk, you will implement the fallback plan.
You will use the contingency reserve if any of these risks occur, not the management reserve. The contingency reserve is used for identified risks and the management reserve is used for unidentified risks.
Summary
Most often, residual and secondary risks are ignored and project managers don’t develop a response plan. They only focus on primary risks and avoid spending time on secondary and residual risks. Don’t do this. These risks are equally important. Ignoring them will jeopardize your project’s success.
How do you identify and manage residual and secondary risks? Please share your experiences in the comments section.
Mr. Fahad
You mentioned in your blog that fall back plan are used for residual risks . But as per what i understand fall back plan are used only if the contingency plan is inadequate to solve the problem.
Please correct me if i am wrong.
Please refer to the following blog post:
https://pmstudycircle.com/2012/02/contingency-plan-vs-fallback-plan/
hi all,
I have some queries on the priorities regards to risk, hope someone can advise me
q1) when a risk triggered, do we first
a) inform the stakeholder , or
b) implement the risk response plan
q2) when a new risk occur, do we (which is first, second and third)
a) update in the risk register
b) analyse the impact
c) inform the stakeholder
When the trigger occurs, risk action owner will take the action and implement the risk response plan.
When any new (un-identified) risk occurs, you will manage it through workaround.
Thanks Fahad!
for un-identified risk, I had thought we have to analyze the impact first before anything?
for both of my questions, I assume ‘notifying stakeholder’ is NOT the first thing to do.
You are welcome Martin.
Hi Fahad,
Thank you for precisely explaining residual and secondary risk in your blog. My question is regarding secondary risk. what is the name of the risk response plan for the secondary risk? For example, we have a contingency plan for primary risk. I am trying to understand is there any such similar response plan available for secondary risk?
Regards,
Bala
Since these are identified risks, they will be covered in contingency plan.
Risks that are caused by the response to another risk is Residual or Secondary Risks.
Iam trying to buy 400pmp exam sample qs . but is not possible. pl let me how we can get it
From the below given link you can buy the PMP Question Bank.
https://pmstudycircle.com/pmp-question-bank/
Hi
Residual risk : what is ‘leftover’ after implementing a contingency plan
Secondary risk: New risk after implementing a contingency plan
So, if you sub contract out a piece of work to another contractor (transfer), if the contractor go bust, is that a residual risk or secondary risk. For me, it sounds like a secondary risk.
but if the contractor were to have some delay to its deliverable to your project, it is seen as a residual risk.
Comments?
The first case represents a “residual” risk, because the risk impact stays the same (choosing transfer as risk response is mainly to minimize the liability or to address a technical/ expertise gap in the company), so this will stay the same for the 1st case, thus it is a residual risk. As for the 2nd case, it is a secondary risk since the risk impact is different than primary risk impact. In this case, the impact could be delays to project schedule.
I hope this makes sense
Fahad – Your study notes which are basically an expert clarification has helped alot to me, i could review it time to time to check my understanding and i cleared my PMP exam with (2 Moderately Proficient and 3 Proficient) in my first attempt.
You are giving a great service to this community. God bless you.
Congratulation Nitesh for passing the PMP exam. I’m glad that my blog helped you in your study.
Thank You so much! this breaks it down very well!!
You’re welcome Niikay…
Please explain the difference b/w fall back plan, work around and contingency plan …all are same ?
Regarding fall back and contingency plan, you can read this blog post:
https://pmstudycircle.com/2012/02/contingency-plan-vs-fallback-plan/
And, workaround is an adhoc response when any unidentified risk occurs.
Thank you very much Fahad for your explanation . But I confused when can use response plan and contingency plan ??!!
Both plans (contingency and fall back) are risk response plan.
Fahad,
Thanks for your blog, I also bought your book the PMP Question Bank and so far, I am averaging approximately 82% (my goal is 85%). Kindly correct me if I am wrong, initially I thought contingency reserves were used for accepted– at least that’s what I think I read in another book-used when a proactive risk approached is being used). Then I realized this is not the case, but it rather applies when basically when using ” risk mitigation” where residual or secondary risks remain or come to existence.
Is my thought process wrong; kindly assist.
Btw, do you have other books of questions for the PMP exam, if, I would like to know how to obtain them.
VR
Yes. Contingency reserve is used for identified risks. Primary risks, secondary risks, residual risks, these are all identified risks.
No, I don’t have any other question bank accept the one that you already have with you.
Good luck on your PMP exam.