Concepts
I. Understanding Secondary and Residual Risks
Secondary risks often emanate from the application of specific risk responses. For instance, when a project risk is mitigated through outsourcing or subcontracting, new risks such as inefficiency, missed deadlines, or poor quality output may arise due to the subcontractor’s operations. These are secondary risks.
On the other hand, residual risks are the leftover risks that remain after all planned risk responses have been implemented. For example, after mitigating construction project risks (falls, equipment failure, material shortage) through safety training, contingency planning, tough oversight mechanisms, there may still be risk owing to human error or unpredictable weather – these would be residual risks.
II. Evaluating Secondary and Residual Risks
To comprehensively evaluate secondary and residual risks, risk professionals must implement a rigorous risk review process. This involves an accurate identification of the potential secondary or residual risk, followed by a risk assessment to understand its probable impact and likelihood. Consequently, a risk response action plan should be developed based on the evaluation, and the process should end with monitoring these risks.
Consider the case of a construction project. The primary risk might be identified as a delay in construction due to harsh weather, and the chosen strategy might be to construct a temporary roof for protection. However, the secondary risk resulting from this decision might be that the temporary roof collapses under the weight of the heavy rain, causing damage and further delays. The residual risk might be that even with the roof, small drizzles could still cause slight delays in the construction process.
III. The Reaction to Secondary and Residual Risks
The reaction to these risk categories essentially involves similar strategies employed in primary risk management – avoid, transfer, minimize, or accept. The choice depends on the risk’s impact, cost, time and resources available to the project team.
Avoidance would be applicable in instances where a secondary risk has the potential to cause significant project delay, like faulty software installation. Transfer may be preferable for liability-related residual risk by procuring insurance coverage. If the potential financial loss from a secondary risk is lower than the cost of the risk management strategy, the risk may be accepted.
Finally, risk professionals must continuously monitor the effectiveness of risk responses implemented to tackle these risks and adjust them as necessary, enhancing the future identification and management of such risks.
By preparing to handle secondary and residual risks proficiently, PMI-RMP exam aspirants will not only perform better in the exam but also become more effective and adaptive risk management professionals.
Answer the Questions in Comment Section
True or False: Secondary risks arise as a direct result of implementing a risk response.
- True
- False
Answer: True
Explanation: Secondary risks are those that are a direct outcome of implementing a risk response. They usually occur when the response to an identified risk creates a new risk.
The terms secondary risk and residual risk are interchangeable.
- True
- False
Answer: False
Explanation: Secondary risks are directly resulting from the response to the primary risk while residual risks are the leftover risks that remain after the primary risk has been addressed.
True or False: Secondary and residual risks are always negative.
- True
- False
Answer: False
Explanation: These types of risks can either be threats that will negatively impact the project or opportunities that can provide potential benefits.
Which of the following methods can be used to evaluate secondary and residual risks after the risk response has been implemented?
- A. Risk reassessment
- B. Risk audits
- C. Both A and B
- D. Neither A nor B
Answer: C. Both A and B
Explanation: The best options for evaluating secondary and residual risks are risk reassessment (which analyzes how effective the risk response has been) and risk audits (which examines the efficiency of the risk management process).
The effectiveness of implemented risk responses should be determined through:
- Additional event identification
- Risk reassessment
- Both
- Neither
Answer: Risk reassessment
Explanation: Risk reassessment evaluates the effectiveness of the risk responses that have been implemented, whereas event identification would identify new risks.
True or False: Residual risk is the risk that remains after all risk responses have been applied.
- True
- False
Answer: True
Explanation: Residual risks are those that exist after all the risk responses have been implemented.
True or False: Secondary risks can be ignored as they are not as important as primary risks.
- True
- False
Answer: False
Explanation: Secondary risks, although arising from the response to a primary risk, cannot be ignored as they can have impacts on a project.
Which of the following should be used to react to secondary and residual risks?
- A. Risk audits
- B. Risk reassessment
- C. Additional risk identification
- D. All of the above
Answer: D. All of the above
Explanation: All these methods help in reacting to secondary and residual risks. While risk audits help in evaluating the effectiveness and efficiency of the risk response, risk reassessment helps to evaluate the impact of the risk response. Additional risk identification, on the other hand, helps in identifying new risks that may arise post risk response.
Residual risks usually have:
- A. Higher impact
- B. Lower impact
- C. Same impact
- D. Cannot be determined
Answer: B. Lower Impact
Explanation: Once the risk response has been implemented to address a risk, the residual risk left generally has a lower impact as the major portion of the risk would have been treated with the response.
True or False: It is not necessary to communicate secondary and residual risks after the response implementation.
- True
- False
Answer: False
Explanation: It is important to communicate these risks as stakeholders need to understand the remaining risk after the risk response to make informed decisions.
Once a risk response has been implemented, new risk identifications are usually needed because:
- A. The project scope might have changed
- B. Secondary risks could have been triggered
- C. The process is cyclical
- D. All of the above
Answer: D. All of the above
Explanation: New risk identifications are integral to the risk management process as the project evolves, which includes scope changes, the potential triggering of secondary risks, and because risk management is a cyclical, ongoing process.
True or False: Risk response planning should not consider secondary and residual risks.
- True
- False
Answer: False
Explanation: Risk response planning not only needs to consider primary risks but also secondary and residual risks. These types of risks stem from primary risk responses and can have a significant impact on the project.
Great post! Evaluating secondary and residual risks is crucial in risk management.
I completely agree. How do we prioritize secondary risks effectively?
For those taking the PMI-RMP exam, make sure you understand the difference between secondary and residual risks.
I found it helpful to create a secondary risk register. Anyone else doing this?
Is it necessary to revisit the risk response plan frequently?
This post is so helpful for the PMI-RMP exam prep. Thanks!
Can someone explain the difference between secondary and residual risks?
I’ve noticed that secondary risks can sometimes be more dangerous than the primary ones. Thoughts?