Within the field of project management, the assessment of risk exposure is crucial. It’s the most important process to ensuring an optimal outcome. This article discusses residual risk, or threats that remain indefinitely with that outcome after its development phase is complete.
PMI defines residual risk as:
Residual risks that are expected to remain after planned responses have been taken, as well as those that have been deliberately acceptedPMBOK®, 6th edition, ch. 220.127.116.11
Inherent Risk vs Residual Risk
While the inherent risks to any given project are as numerous as they are diverse, it’s imperative that a project manager possess a firm understanding of the key risks that remain after the project is finalized.
This type of risk that remains after every action was taken to address all preventable threats to a project’s outcome is known as residual risk.
As a project manager, the first task at hand is to deliver the anticipated and promised results while identifying and mitigating risks that could potentially derail those results from rendering successfully.
Concerning risk to outcome, a project manager is expected to identify and eliminate threats to the project wherever possible. If certain risks cannot be eliminated entirely, then the security controls introduced must be efficient in reducing the negative impact should any threat to the project occur.
Once the inherent risks are mitigated, the sum of remains is residual risk or any potential threats that remain after all possible measures and controls have been implemented to secure a project.
Risk Management Process
Risk management entails a multi-staged process of “identification, analysis, response planning, response implementing risk on a project” Project Management Body of Knowledge (6th edition, ch. 11).
But that process does not explicitly account for the residual risks that remain inherent to the project after it is complete. How, then, does one estimate and identify residual risk?
To begin with, the process is not significantly different than the steps a project manager takes in tailoring considerations of primary (or inherent) risk exposure to a project’s outcome. Indeed, the two are interrelated.
A determination of residual risk is dependent upon the size and complexity of the project, foremost, and, secondarily, the development approach along with the overall significance of the project to the organization.
Similarly, an effective assessment of residual risk is reliant upon the use of “data analysis techniques” such as “root cause analysis” and “assumption and constraint” as these strategies are defined in the PMBOK®, 6th edition, ch. 18.104.22.168.
Different Types of Risk
Aside from inherent risk, there’s another type of risk that arises after a project manager takes action to reduce inherent (or primary) risk called secondary risk.
Primary Risks = Inherent Risks
Within the project management field, there can be, at times, a mixing of terms. So, to be clear, primary risk and inherent risk are definitionally one and the same.
Secondary Risks vs Residual Risks
Secondary risk, on the other hand, is a risk that emerges as a direct result of addressing an inherent risk to a given project.
It is not a risk that results from an initial threat the project manager has identified. Instead, it is a threat that emanates from the risk controls and methods deployed to mitigate primary or inherent risk.
To offer a base example, consider a construction crew that has dug a trench to prevent the encroachment of dangerous animals to their site. There is a secondary risk that the workers may fall into this trench and become injured, but the risk is marginal.
This constitutes a secondary risk. Likewise, other more palatable types of secondary risk one might encounter have to do with the recent and significant disruptions to the supply chain.
If a project manager elects to order supplies from overseas to cut costs, there is a secondary risk that those supplies may not arrive on time, extending the project unnecessarily and, thus, eliminating those savings.
Examples of Residual Risk
Having clarified how residual risks differ from risks inherent to the development of a project, it’s helpful to discuss a few specific real-world examples of what constitutes residual risk. Let’s take the case of the automotive seatbelt.
Cars, of course, are a product of the late-stage Industrial revolution. As automobile engines became more powerful, accidents associated with driving at speed became more serious. Before 1964, front-seat lap belts were not considered standard equipment on cars.
As substantial consumer product research was generated in the effort to mitigate serious injury in the case of a car accident, it became clear that the use of seat belts is highly effective in helping prevent bodily injury.
Now, in the course of the project, an engineer can produce a reliable seatbelt. But he cannot, in the unfortunate event of an accident, prevent all matters of injury to drivers and passengers in a vehicle.
While the prospects of injury were indeed mitigated, they still linger, even as seat belts are properly used. This phenomenon constitutes a residual threat.
Or, taking, for example, another scenario: one can design a childproof lighter. However, it’s widely understood that such a design does not proscribe every child in the world from igniting such a lighter and causing a hazard.
Therefore, post-development, there will always be an element of residual risk to the outcome of the childproof lighter and its intent.
Calculating Residual Risk Formula
This article has discussed how to begin factoring residual risk in the early stages of a project; however, a specified formula exists that project managers can use to help gauge and calculate the overall impact of residual risk after the project development phase is complete.
It’s a simple equation that goes as follows:Calculating Residual Risk
Residual Risk = (Inherent Risk) – (Impact of Risk Controls)
To explicitly apprehend this formula, one must have a thorough understanding of what constitutes a project’s inherent risks.
In project management, the term “inherent risks” should be regarded as little more than risks that are almost universally present, based on an established precedent, concerning what is already known about the execution of previous similar projects.
While no two projects are exactly alike, the desired outcome for most projects is likely one that has been achieved several times over.
Indeed there will be breakthrough projects for which there is little established precedent, but those kinds of tasks are substantially more uncommon.
In other words, the specific nature of the project, in most cases, is already known and so are development threats inherent to it.
Adding Risk Controls
Risk controls are the measures taken to reduce a project’s risk exposure. Consequently, the impact (or effectiveness) of your risk controls dictates the mitigation of inherent risk.
Once the inherent risk to a project has been fully identified using the steps previously outlined above, the risk controls are determined.
After a project’s resources have been evaluated and its risks controls are selected and put into effect, it will be possible to assess the impact those controls will have on any potential threats.
With the inherent risk known, and the impact of risk controls evaluated, the above formula can be calculated to show the residual risk that will remain after a project’s development phase has concluded.
Residual Risk Formula Example
To offer an example of how this formula is used in terms of dollars, let’s assume the inherent risk of a project is estimated at $50 million. The risk controls are estimated at $5 million. Following the simple equation above, the estimated costs associated with residual risk will be $5 million.
Effectively Managing Residual Risk
In project management, the key to mitigating and managing residual risk is determined by how well risk overall was assessed in the early stages of the project.
If all types of risk are well analyzed and addressed at the outset, the project manager is better prepared to minimize the presence of residual risk.
When there are no measures taken to mitigate all risk exposure at the start of a project, this opens the door to high levels of residual risk. Should this situation arise, the project manager must take additional steps to bring the residual risk to a reasonable and acceptable level.
To successfully manage residual risk, consider the following suggestions:
- Bolster cybersecurity: the objective is to eliminate as many privacy risks as possible through individualized encryption keys to protect cloud data.
- Brace for the unexpected: evaluate your project from all angles to anticipate surprise changes to ensure you have all the tools you need in the event of a crisis.
- Strong organizational communication: Even if the strategies for reducing risk exposure are strong, they won’t be effective without implementing consistent communication with the entire team.
Because there is a tendency among project managers to focus only on inherent risks, it’s not uncommon for residual risks to be ignored entirely. In these situations, a project manager will not have a response plan in place at all. Because secondary and residual risks are equally important, this is a mistake to be avoided at all costs.
If there isn’t an adequate holistic assessment of a project’s risk exposure, this usually spells doom for the success of its outcome.
This is precisely why every aspect of risk and each potential threat to a project must be evaluated vigorously at the forefront of every project. Moreover, each risk should be categorized and ranked according to its priority.
If a risk presents as a low-priority, it should be labeled as an area to monitor. Should a given risk be deemed a high priority, a clear and direct risk response plan must be set in place to mitigate the threat.
If these measures are adhered to strictly, the project manager will be most effective in reducing the presence of residual risk after the development phase of a project comes to a close.