I have discussed risks and risk-related terms, including secondary risks and residual risks. But I see many professionals having issues with understanding these two risks.
They think residual and secondary risks are unknown risks and we use a fallback plan for them and use the management reserve if they occur.
Please understand this: residual and secondary risks are identified risks. You will carry out the contingency plan if any identified risk occurs and apply the fallback plan if it fails. In both cases, you will use the contingency reserve because it is for identified risks.
You will use the management reserve when any unidentified risk occurs.
A risk is an uncertain event and if it occurs it can affect your project objectives.
You will develop a risk response plan so you can either avoid or mitigate the impact. Often, this response can create a new risk. This new risk is a secondary risk.
According to the PMBOK Guide 6th edition, “secondary risks are those risks that arise as a direct result of implementing a risk response.”
Simply put, you have developed a response plan for risk and this caused a new one. This is known as a secondary risk.
Example of Secondary Risks
Let’s say you have excavated a trench to stop animals from walking through your land. However, during the night, a traveler passing by falls into the trench.
This is an example of a secondary risk.
If your response plan creates a secondary risk, you will analyze it and develop a risk response plan, if required.
If the impact is very low, you will keep it on the watch list.
You have identified a risk and developed a response plan to manage this risk. However, this response plan does not completely remove the risk. The residue remains, which is called residual risk.
According to the PMBOK Guide 6th edition, “residual risks are those risks that are expected to remain after the planned responses of risks have been taken, as well as those that have been deliberately accepted.”
Example of a Residual Risk
Let’s say you have identified a risk that it may rain for one to two hours. Therefore, you have created a contingency plan to manage this risk.
But what will happen if the rain falls for more than two hours?
You will develop a fallback plan.
This is an example of residual risk.
As a project manager, you should ensure that residual risks are evaluated properly. If it is a low priority, you should keep it on the watch list. For high priority risks, you will develop a risk response plan to mitigate their impact.
Please note that for all risks, if the trigger hits, you will implement the response plan. This plan can be either a contingency or a fallback plan.
For a primary or secondary risk, you will implement the contingency plan, and for residual risk, you will implement the fallback plan.
You will use the contingency reserve if any of these risks occur, not the management reserve. The contingency reserve is used for identified risks and the management reserve is used for unidentified risks.
Most often, residual and secondary risks are ignored and project managers don’t develop a response plan. They only focus on primary risks and avoid spending time on secondary and residual risks. Don’t do this. These risks are equally important. Ignoring them will jeopardize your project’s success.
How do you identify and manage residual and secondary risks? Please share your experiences in the comments section.