Many professionals think residual risks are unknown risks, and if they occur, you manage them using a workaround and management reserve. This means they believe that residual risks are unidentified risks.
This is a wrong assumption. Understand that residual risks are identified risks. They have defined response plans, and you will use the contingency reserve to manage them because these are identified risks, while the management reserve is for unidentified risks.
In today’s post, I will explain residual risk, provide an example, and explain how to manage residual risks.
Residual Risk
You have identified risks and developed a response plan. However, when this response plan does not completely eliminate the risk, the remainder is called residual risk.
According to the PMBOK Guide, “residual risks are those risks that are expected to remain after the planned responses of risks have been taken, as well as those that have been deliberately accepted.”
You need to manage residual risks for several reasons. The key reason is that they are risks; they can still affect your project objective, and you must live with them. You must find those risks, and if they require a response, you should develop a risk response plan.
Compliance and regulatory requirements are the second reason for managing residual risks. In some places, using the International Organization for Standardization 27001 makes identifying and managing residual risks mandatory.
Example of a Residual Risk
Let’s say you have identified a risk that rain may fall for one to two hours and developed a response plan to manage this risk.
But what happens if the rain falls for over two hours?
This is an example of residual risk.
You will develop a fallback plan.
As a project manager, you must evaluate residual risks. You should keep low-priority risks on the watch list and develop risk response plans for high-priority risks.
For any risk, if the trigger hits, you will implement the response plan. This plan can be a contingency or a fallback plan.
You will implement the contingency plan for a primary or secondary risk and the fallback plan for residual risks.
Now, we will see how to calculate residual risk, but before that, let’s understand the inherent risk that you will require in residual risk calculation.
What is Inherent Risk?
Inherent risk refers to the level of risk that exists without any controls or mitigation measures. It represents the raw or untreated risk.
Put simply, this is the risk present before any interventions, safeguards, or risk response plans are applied.
Inherent risks have a higher potential impact and likelihood because no actions have been taken to reduce them. These risks serve as a baseline for understanding the full scope of risks in their natural state.
The following are the key differences between inherent and residual risks:
Presence of Controls: Inherent risk does not consider existing controls or management measures, whereas residual risk is the remaining risk after these measures have been applied.
Risk Level: Inherent risk is high because it is the risk before any intervention. Residual risk is lower due to the effectiveness of risk management efforts.
Purpose in Risk Assessment: Inherent risk helps identify the full spectrum of threats, while residual risk helps evaluate the effectiveness of risk response plans.
Calculating Residual Risk
To calculate residual risk, you must know the inherent risk. Residual risk equals the inherent risk minus the impact of risk control.
Residual Risk = Inherent Risk – Impact of Control Risk
Inherent risk is present when no attempts are made to mitigate or control risks.
Strategies to Manage Residual Risks
To manage residual risks, you need to understand the concept of the acceptable level of risk which depends on the risk attitude of the organization.
You will manage the residual risks as follows:
- No Action: If the residual risk is below the acceptable level, you won’t take any action but will keep it on the watch list for monitoring.
- Develop a Risk Response Plan: If the residual risk is above the acceptable level, you will develop a risk response plan to manage it.
- Accept the Risk: If the residual risk is above the acceptable limit, but the cost of mitigation is more than the risk, you will accept the risk.
Residual Risks Vs Secondary Risks
Secondary risks and residual risks differ in their origins and implications.
Secondary risks emerge directly as a consequence of implementing a risk response. For example, if a project manager manages a risk by outsourcing a task, a new risk associated with the vendor’s reliability might arise. These risks are not originally present but become significant due to the actions taken to address the initial risks.
Residual risks, on the other hand, are the remaining risks that remain even after risk responses have been applied. These risks are recognized but cannot be fully eliminated. For instance, after applying all possible mitigation strategies, there might still be a small chance of a risk occurring, which is considered a residual risk.
Secondary risks result from the actions taken to manage primary risks, whereas residual risks remain the leftover threats despite mitigation efforts.
Read: Residual Risk Vs Secondary Risk
Summary
Project managers often ignore residual risks and don’t develop a response plan. They only focus on primary risks. Don’t do this. Residual risks are equally important; ignoring them can affect your project objectives.
This topic is important from a PMP and PMI-RMP exam point of view.
I am Mohammad Fahad Usmani, B.E. PMP, PMI-RMP. I have been blogging on project management topics since 2011. To date, thousands of professionals have passed the PMP exam using my resources.
