Synonymous term or a different term, that’s a common question we receive in our course delivery for secondary versus residual risks. Those two terms sound quite a bit a like. Are they? No.
Don't trip over the finish line!
They’re similar concepts but are different!
- Secondary risk occurs once a risk event triggers and the appropriate management response strategy deployed. The PMBOK® 4th Edition, page 303, describes this aptly as “driven by the strategies”.For example, in software development, per Steve McConnell, the silver bullet syndrome is a risk of relying or wishing upon that perfect tool to solve all of your problems. The mindset is typically “if we only had this LAMP, API, SQL widget, we’d cut our development time by 25%”! When that risk event triggers, it’s important for a project manager and team to step back and calmly assess the reliance and vulnerability on that assumed “perfect tool”. A secondary risk as the team addresses it might be contractor competency or solvency. Perhaps the new tool will work wonders, but only with gifted hands (and minds) guiding it. As the team reaches out to find that mind, risks associated with contractor management now jump to the forefront. That risk is a secondary risk.
- Residual Risk is risk that exists after qualitative and quantitative risk assessment. It often falls in that area of unknown/unknown on the risk identification continuum. Health-care provides a good field to understand this. Prior to my father’s passing in 2008, he had a series of medical issues over a five-year period, for example, after a procedure to repair a carotid, residual risk of stroke existed. That in turn restricted the ability to treat an invasive form of prostate cancer. Due to his age and compounding risk factors, the residual risks were replete. In software project management residual risk typically associates with environmental factors (computer environment) that a team has not reviewed, for example a new software patches incompatibility with a lesser known or evolving platform (e.g., mobile web or cloud computing).
by David Kohrell, PMP®, CBAP®, CISA®, CSSBB® TAPUniversity
also shared at http://blog.tapuniversity.com
Related articles
- Risk Management Approaches (tapuniversity.com)
- Risk Types from Auditing (tapuniversity.com)
- Software Risk List (tapuniversity.com)
- Risk from a Business Analysis Perspective (tapuniversity.com)
- 10 Project Management Skills Essential for Every Project Manager (brighthub.com)
Joseph Phillips Course: 35 contact hours 200 PMP exam questions. All for ONLY $55. For more info- Click here to view more details
Joseph Phillips Course: 35 contact hours 200 PMP exam questions. All for ONLY $55. For more info- Click here to view more details
Hi David
Loved your post and this is really often a critical question for PMP-students.
I would like to ask your permission to comment the text:
Making it easier for the secondary risk:
Secondary Risks are risks created by our Risk Response.
Expl.: You contract a Consultant as answer to identified risks and this professional has behaviors, that create new risks.
On behalf of Residual Risk, I would prefer to reformulate as follows:
“Residual risk is risk that continues existing after Risk Response Planning.”
Expl.: You mitigate the probability of a financial risk from 35% to 10%. Those 10% would be your residual risk.
For to have a residual risk, you need to have treated risk and a Qualitative and Quantitative assessment is…… just an assessment. Only after applying the action defined in Risk Response Planning, you have changes and in consequence, secondary and residual risks.
Kind Regards from Brazil
Gerhard Tekes,
PMP, PMI-RMP, PMI Certified OPM3(R) Professional
Available for OPM3 ProductSuite Assessments and Consulting
in English, German, Portuguese and Spanish
[...] This post was mentioned on Twitter by PMP® Exam Tips and pmhub, derhem. derhem said: RT @PMExamTips: PMHUB: Secondary versus Residual Risk #PMOT http://dld.bz/KEXa [...]
Gerhard, wonderful clarification and thank you! The reinforcement that residual risk first requires treatment via Q/Q risk assessment is perfect. They’re those “unknown, unknown’s” that linger. Secondary risks are what happen as you invoke the Risk response.
As an aside, one of my favorite author’s during my Master’s in Management (early 90′s) was Herbert A Simon – sort of the grandfather of semi structured decision making in uncertainty. He wrote a good amount in the known-unknown to unknown-unknown continuum of decision making.