Secondary Risk versus Residual Risk

Posted on December 28, 2010 by


Synonymous term or a different term, that’s a common question we receive in our course delivery for secondary versus residual risks.

finish line

Don't let residual or secondary risk trip you up before the finish line!

Those two terms do sound quite a bit a like.  Are they?

They’re similar concepts but are different!

  • Secondary risk occurs once a risk event triggers and the appropriate management response strategy deployed.  The PMBOK® 4th Edition, page 303, describes this aptly as “driven by the strategies”. For example, in software development, per Steve McConnell,  the silver bullet syndrome is a risk of relying or wishing upon that perfect tool to solve all of your problems.  The mindset is typically “if we only had this LAMP, API, SQL widget, we’d cut our development time by 25%”!  When that risk event triggers, it’s important for a project manager and team to step back and calmly assess the reliance and vulnerability on that assumed “perfect tool”.  A secondary risk as the team addresses it might be contractor competency or solvency.  Perhaps the new tool will work wonders, but only with gifted hands (and minds) guiding it.  As the team reaches out to find that mind, risks associated with contractor management now jump to the forefront.  That risk is a secondary risk.
  • Residual Risk is risk that exists after qualitative and quantitative risk assessment.  It often falls in that area of unknown/unknown on the risk identification continuum.   In software project management residual risk typically associates with environmental factors (computer environment) that a team has not reviewed,  for example a new software patches incompatibility with a lesser known or evolving platform (e.g., mobile web or cloud computing).Health-care  provides a good field to understand how both risks may exist.  Prior to my father’s passing in 2008, he had a series of medical issues over a five-year period.  For example, after a  procedure to repair a carotid artery, residual risk of stroke existed (though it was not known).  The repaired carotid artery, yet inability to determine stroke risk,  restricted the ability to treat an invasive form of prostate cancer (secondary risk from yet another procedure).  Due to his age and compounding risk factors, the residual and secondary risks were replete.
Enhanced by Zemanta