In project management, risk means any uncertain event that could affect your project’s objectives, good or bad. While the PMP exam expects you to know the big picture, some risk types—especially secondary and residual risks- often confuse students.
This blog post breaks down the main risk categories, explains the difference between secondary and residual risks, and shows you how to handle them. Understanding and managing risk can make your project one of the successes.
Let’s explore what happens when you respond to a risk and how to stay in control.
What is Project Risk?
Risk is uncertainty about future events that may affect project goals. Risks can be negative (threats) or positive (opportunities).
The following table shows the common risk categories:
| Risk Category | Description |
| Technical | Arises from technology, design, and delivery issues, such as untested software or complex engineering. |
| Operational | Relates to day-to-day processes, resource availability, and supply chain. |
| Financial | Concerns budgets, funding, and cost fluctuations; financial risk increases when budgets are tight or markets are volatile. |
| External | Comes from outside the project: political changes, regulations, extreme weather, and market shifts. In the World Economic Forum’s Global Risks survey, two-thirds of respondents ranked extreme weather as the top short-term risk—a reminder that external risks should not be ignored. |
Project managers use the risk management process to address uncertainty. This process generally follows five steps: identify risks, analyze them, plan responses, implement responses, and monitor and control. The infographic below illustrates the flow.
Primary, Secondary, and Residual Risks
Primary risk refers to the initial threat or opportunity identified in the risk register. After analyzing a risk, the team decides how to respond. Responses may trigger additional risks—this is where secondary and residual risks come in.
Secondary Risk
The PMBOK Guide defines secondary risks as “risks that arise as a direct result of implementing a risk response”. In simpler terms, when you take action to prevent or mitigate a primary risk, you may create a new risk.
Examples of Secondary Risks
Example-1
Let’s say you have excavated a trench to stop animals. However, pedestrians may fall into the trench. This is an example of secondary risk.
Example-2
In a construction project for a new office building, you use an advanced fire suppression system to mitigate the fire risk. While this effectively reduces fire-related risks, it introduces a secondary risk: potential water damage from accidental system discharges.
This new risk could damage construction materials, delay the project, and increase costs. To manage this secondary risk, you need to implement additional controls, such as regular maintenance checks, proper system-handling training, and protective coverings for sensitive materials, to minimize the impact of accidental water discharge.
Example-3
A team upgrades to the latest software version to avoid security vulnerabilities. The new version introduces compatibility issues with legacy systems, creating a secondary risk of downtime.
Secondary risks often cannot be predicted until after you decide on a response. You can manage them by:
- Documenting secondary risks in your risk register when they emerge.
- Evaluating their probability and impact just like any other risk.
- Planning responses and allocating contingencies if they could disrupt the project.
- Monitoring them regularly—secondary risks can turn into primary threats if ignored.
Residual Risk
Residual risks are the “risks that are expected to remain after the planned responses have been taken, as well as those that have been deliberately accepted”. Even after mitigation, you can’t remove every risk. Some risk remains by design; others are accepted because further mitigation isn’t cost-effective.
Examples of a Residual Risk
Example-1
Let’s say you have identified that it may rain for one to two hours. Therefore, you have created a contingency plan to manage this risk.
But what happens if the rain falls for over two hours?
You will develop a fallback plan.
Example-2
You have implemented comprehensive safety measures, including PPE, regular safety drills, and strict adherence to safety protocols, in a construction project for a high-rise building. However, despite these efforts, the risk of minor worker injuries, such as slips, trips, and falls, remains.
For example, a worker might still trip over scattered tools or debris. This persistent risk, which cannot be eliminated even with thorough safety measures in place, is a residual risk.
Example-3
Installing firewalls and encryption reduces cyber risks. Residual risk remains because no security measure is infallible. Accepting the residual risk involves monitoring logs and having a response plan.
Residual risks should be documented and reviewed regularly. They may require contingency reserves or acceptance plans, depending on your organization’s risk appetite.
Other Types of Risk
Understanding secondary and residual risks is easier when you see them in the context of other risk types:
| Risk Type | Explanation |
| Positive risk (opportunity) | Events that could benefit the project, such as finishing early or discovering a cheaper supplier. The goal is to enhance or exploit them. |
| Unknown Risk | Risks that cannot be identified during planning. You handle unknowns through management reserves and adaptable processes. |
| Internal Risk | Risks within the organization’s control, such as resource availability, team dynamics, or process inefficiencies. |
| External Risk | Risks outside your control—economic, environmental, or regulatory. The Global Risks survey warns that extreme weather is the most likely short-term crisis risk. |
| Compliance Risk | Arises from failing to meet laws, standards, or contractual obligations. |
Secondary Vs Residual Risk: Key Differences and Similarities
The two risk types are easy to confuse. Here’s a breakdown:
| Parameter | Secondary Risk | Residual Risk |
| Origin | Created by a specific response to another risk. | Remains after the original risk is treated. |
| Relation to Initial Risk | Not directly related to the initial risk, caused by the response. | Directly related to the initial risk, part of it remains. |
| Planning | Usually discovered after taking action, it cannot always be predicted. | Can often be anticipated and planned for. |
| Response Needed? | Yes—often requires a separate response or contingency. | Not always—may be accepted if the impact is low. |
Similarities include the need to identify, record, and monitor both types. Neither can be completely prevented, and both may require stakeholder communication.
Why Secondary and Residual Risks Matter
Ignoring these risks can erode project success. The PMI Maximizing Project Success study found that including risk monitoring in a performance measurement system raises the Net Project Success Score (NPSS) from 49 to 53. Projects with risk monitoring score an average of 41, while those without score only 14. This demonstrates that monitoring secondary and residual risks—not just primary ones—improves outcomes.
Additionally, PMI’s survey shows that only 48% of projects are judged successful, with 12% considered failures. In a world where extreme weather is a top risk, failing to manage secondary and residual risks can push projects into the “failed” category.
Managing Secondary and Residual Risks: Best Practices
- Use a risk register. Maintain a living document with risk descriptions, categories, probability, impact, responses, and status. Add secondary and residual risks as soon as they appear.
- Apply the risk-management process. Identify risks early, analyze their likelihood and effect, plan responses, implement actions, and monitor outcomes. Our risk-management infographic summarises this process.
- Engage stakeholders. Include team members, sponsors, and subject matter experts in identifying and addressing secondary and residual risks. Their diverse perspectives will uncover hidden issues.
- Allocate contingencies. Budget and schedule reserves allow you to respond to secondary risks without derailing the project. Use management reserves for unknown risks.
- Review and update regularly. At each stage, revisit your risk register. Secondary risks may emerge or disappear as the project evolves, and residual risks may change in severity.
- Prioritize based on risk appetite. Determine which residual risks can be accepted and which require additional mitigation. Align decisions with organizational risk tolerance.
- Leverage lessons learned. After each project, capture how secondary and residual risks were handled. Share these lessons to improve future risk-management planning.
FAQs
Q1. What is the main difference between secondary and residual risk?
Secondary risks are caused by the response to a primary risk, whereas residual risks are the portion of the original risk that remains after responses.
Q2. Do all secondary risks require a response?
Many secondary risks do require action because they can disrupt your project, but some may be negligible. Evaluate each one’s probability and impact before deciding.
Q4. Can residual risks be eliminated completely?
No. By definition, residual risks are what remain after mitigation. You can monitor them, plan contingencies, or accept them if they fall within your risk tolerance.
Q5. How do I identify secondary risks in practice?
Look for unintended consequences when planning risk responses. Brainstorm with your team about what new risks could emerge from your chosen mitigation strategy.
Q6. What should I do if a residual risk becomes unacceptable?
Reassess and treat it like a new primary risk: analyze its impact and probability, develop a response, and update your risk register.
Summary
Project risks cannot be avoided, but they can be managed with the right approach. Understanding different types of risks, including primary, secondary, and residual risks, helps project managers make better decisions. When risks are identified early and reviewed often, teams can reduce surprises and protect project goals. Strong risk management improves cost control, schedules, and stakeholder trust. In today’s uncertain environment, managing risk is not optional—it is essential for project success.
Further Reading:
- Residual Risk: Definition, Meaning, and Example
- Secondary Risk: Definition, Meaning, and Example
- Risk Types in Project Management
- Risk Terms: A Few Commonly Used Risk Management Terms
- Risk Assessment Matrix: Definition, Example, and Template
This topic is important from a PMP and PMI-RMP exam point of view.
I am Mohammad Fahad Usmani, B.E. PMP, PMI-RMP. I have been blogging on project management topics since 2011. To date, thousands of professionals have passed the PMP exam using my resources.
Mr. Fahad
You mentioned in your blog that fall back plan are used for residual risks . But as per what i understand fall back plan are used only if the contingency plan is inadequate to solve the problem.
Please correct me if i am wrong.
Please refer to the following blog post:
https://pmstudycircle.com/2012/02/contingency-plan-vs-fallback-plan/
hi all,
I have some queries on the priorities regards to risk, hope someone can advise me
q1) when a risk triggered, do we first
a) inform the stakeholder , or
b) implement the risk response plan
q2) when a new risk occur, do we (which is first, second and third)
a) update in the risk register
b) analyse the impact
c) inform the stakeholder
When the trigger occurs, risk action owner will take the action and implement the risk response plan.
When any new (un-identified) risk occurs, you will manage it through workaround.
Thanks Fahad!
for un-identified risk, I had thought we have to analyze the impact first before anything?
for both of my questions, I assume ‘notifying stakeholder’ is NOT the first thing to do.
You are welcome Martin.
Hi Fahad,
Thank you for precisely explaining residual and secondary risk in your blog. My question is regarding secondary risk. what is the name of the risk response plan for the secondary risk? For example, we have a contingency plan for primary risk. I am trying to understand is there any such similar response plan available for secondary risk?
Regards,
Bala
Since these are identified risks, they will be covered in contingency plan.
Risks that are caused by the response to another risk is Residual or Secondary Risks.
Iam trying to buy 400pmp exam sample qs . but is not possible. pl let me how we can get it
From the below given link you can buy the PMP Question Bank.
https://pmstudycircle.com/pmp-question-bank/
Hi
Residual risk : what is ‘leftover’ after implementing a contingency plan
Secondary risk: New risk after implementing a contingency plan
So, if you sub contract out a piece of work to another contractor (transfer), if the contractor go bust, is that a residual risk or secondary risk. For me, it sounds like a secondary risk.
but if the contractor were to have some delay to its deliverable to your project, it is seen as a residual risk.
Comments?
The first case represents a “residual” risk, because the risk impact stays the same (choosing transfer as risk response is mainly to minimize the liability or to address a technical/ expertise gap in the company), so this will stay the same for the 1st case, thus it is a residual risk. As for the 2nd case, it is a secondary risk since the risk impact is different than primary risk impact. In this case, the impact could be delays to project schedule.
I hope this makes sense
Fahad – Your study notes which are basically an expert clarification has helped alot to me, i could review it time to time to check my understanding and i cleared my PMP exam with (2 Moderately Proficient and 3 Proficient) in my first attempt.
You are giving a great service to this community. God bless you.
Congratulation Nitesh for passing the PMP exam. I’m glad that my blog helped you in your study.
Thank You so much! this breaks it down very well!!
You’re welcome Niikay…
Please explain the difference b/w fall back plan, work around and contingency plan …all are same ?
Regarding fall back and contingency plan, you can read this blog post:
https://pmstudycircle.com/2012/02/contingency-plan-vs-fallback-plan/
And, workaround is an adhoc response when any unidentified risk occurs.
Thank you very much Fahad for your explanation . But I confused when can use response plan and contingency plan ??!!
Both plans (contingency and fall back) are risk response plan.
Fahad,
Thanks for your blog, I also bought your book the PMP Question Bank and so far, I am averaging approximately 82% (my goal is 85%). Kindly correct me if I am wrong, initially I thought contingency reserves were used for accepted– at least that’s what I think I read in another book-used when a proactive risk approached is being used). Then I realized this is not the case, but it rather applies when basically when using ” risk mitigation” where residual or secondary risks remain or come to existence.
Is my thought process wrong; kindly assist.
Btw, do you have other books of questions for the PMP exam, if, I would like to know how to obtain them.
VR
Yes. Contingency reserve is used for identified risks. Primary risks, secondary risks, residual risks, these are all identified risks.
No, I don’t have any other question bank accept the one that you already have with you.
Good luck on your PMP exam.