Residual and secondary risks: What they are and how to deal with them

Probably, you have already heard about residual and secondary risks in a project without having a clear idea of what it is. In this article, we will try to explain the differences between.

We all face risks on a daily basis and, consequently, risks exist even in project management.

There are those who panic, those who try not to take obvious risks, and those who try absolutely to avoid them, but in the end the risks are inevitable. There is no way to prevent risks from entering our lives. The same is true in the case of project management.

Definition of risk

The PMBOK Guide  defines a risk as “An uncertain event or situation that, if it occurs, has a positive or negative effect on one or more objectives of the project. ”

A risk, therefore, does not necessarily always damage the project. A project can also get a positive result from a risk.

The PMBOK Guide also states that Risk Management is one of the areas of knowledge that a project manager should know.

The Project Managers must, in fact, be trained in risk management in order to ensure that the obstacles faced during a project are minimized.

This means that project managers must be able to think outside the box and not always take the same road, even if in the past it has been an optimal choice. For instance, the situation could have changed.

Which types of risks exist?

In addition to the main risk inherent in any project, positive or negative, individual activities may involve secondary and residual risks.

Let’s take a look at secondary and residual risks and their definitions.

Secondary risks

The PMBOK Guide defines secondary risks as “those risks that arise as a direct result of implementing a risk response to a specific risk”.

In other words, when you identify a risk, you have a response plan that can deal with that risk.

Once this plan is implemented, the new risk that could arise from the implementation represents a secondary risk.

For example, the project manager for a construction project might know, from past experiences, that one of the main risks is that the sand supplier will not be able to deliver the goods in time. In the risk management plan created, the project manager will therefore already have taken this risk into account. The action he takes if this happens could be to get the sand from a different supplier. However, a potential risk that the project manager may encounter in this case, is that there may be differences in the sand provided by the former compared to that provided by the second supplier, which would be a secondary risk.

secondary risks

Residual risks

Residual risks are the remaining risks, ie the minor risks that remain.

The PMBOK Guide defines residual risks as “those risks that are expected to remain after implementing the planned risk response, as well as those that are deliberately accepted”.

Residual risks are acceptable for the organization’s level of risk tolerance or, in some cases, a residual risk does not have a reasonable response.

Project managers therefore simply accept them as they are. If they must occur, they will occur, and there is not much they can do about it.

These risks are identified during the planning process and an emergency reserve is set up in order to manage risks like these.

Although residual risks are not particularly worrying, organizations cannot completely ignore them and should address them through:

  • Identification of relevant governance, risk, and compliance requirements.
  • Recognition of existing risks.
  • Determination of the strengths and weaknesses of the organization’s control framework.
  • Planning for appropriate contingencies.

For example, you could identify a risk in the possible rainy weather forecasted during an event lasting an hour or two, where this weather condition could interrupt some of the scheduled meetings. To manage this risk, the other meetings will be scheduled with a buffer of a couple of hours. In this way, even if it rains for two hours, the other plans will not be interrupted or postponed.

This, however, does not eliminate the risk that the program needs changes. Simply reduces it.

What is the difference between secondary and residual risks?

  • Secondary risks are those that occur as a direct result of implementing a risk response. On the other hand, it is expected that the residual risks will remain after the expected risk response.
  • The emergency plan is used to manage primary or secondary risks. The backup plan is used to manage residual risks. Note that if an identified risk occurs, the emergency plan is implemented and, if it becomes ineffective, the reserve plan is implemented.
  • If residual risks and secondary risks do not require a response plan, they will be monitored as they occur.

Example of a situation that contains both risks

Take for example a future project manager who is studying for one of the exams to obtain the official PM certification.

When the future PM plans the study program for the exam, the main risks that can affect it are:

  • suddenly he will commit himself full time to a new project that will not leave enough time to study
  • He will get sick during the exam preparation

An activity to respond to the first risk – not find enough time for the study due to the professional commitment – would be to start the preparation for the exam in a low working season, taking into consideration the work model of previous years.

The residual risk for this risk response would be that an unexpected large-scale project would present itself during the preparation for the exam. In that case, it may be necessary to postpone the exam, so as to find enough time to study in the future. This could be connected with an extra cost that can be covered thanks to the contingency reserve.

In the second case, the risk response activity to avoid getting sick during the exam preparation, would consist in doing the vaccination for five of the most common contagious diseases at the time of the preparation for the exam.

The secondary risk of this risk response would be that the vaccines themselves can cause side effects or even cause infections.


To conclude, risk management is an integral part of project management. It includes the identification, analysis, and monitoring of all these types of risks.

Understanding how to identify and manage risks is part of everyone’s life, even in the life of a project manager.

It is important that all types of risks are identified, analyzed, monitored, and cared for during the entire project.

For a project manager, learning to distinguish and plan for different types of risks will be a valuable aid to manage resources, time, and guide the project to success more efficiently.

Manage your projects effectively with Twproject

Related Posts