Residual Risk vs Secondary Risk

blog_auth Blog Author


published Published

May 16, 2023

views Views


readTime Read Time

14 mins

Tabel of the content


Residual and secondary risks are two common risks of project management. Despite being linked, they differ in many respects. This read covers the various aspects of residual risk vs secondary risk on different grounds. However, before discussing such details, it is essential to understand both risk entities separately.

What are Secondary Risks?

Secondary risks are the risks that arise in the process of mitigating primary risks. These are often not as obvious as the primary risks. These can be challenging to identify and manage, and often go unnoticed during the risk management process.

How to anticipate and mitigate secondary risks?

For that, you need to analyze the cause-and-effect relationship between the primary risk and the control measures. It is only after this analysis that you can easily predict and manage the expected outcome. Moreover, proper planning, training, and communication with the project team can also help in managing the situation better before any major escalations.

For example, a manufacturing company introduces a new product to the market. The primary risk here could be that the product doesn't sell. This would result in lower revenue and profitability. So, to mitigate this risk, the company decides to offer a special promotion to attract more customers. However, by doing so, the company creates a secondary risk — the risk of running out of inventory. If the promotion turns out successful, and more customers purchase the product, the demand for the product may exceed the supply. This would lead to backorders, delayed shipments, and potential customer dissatisfaction. Here, the secondary risk arises directly from the company's attempt to mitigate the primary risk. By offering a promotion, the company is trying to stimulate demand and improve revenue. But, this action also introduces the risk of inadequate inventory management. This is exactly what secondary risk is all about.

Even in cybersecurity, implementing security measures can follow up with a secondary risk. For instance, protecting against one threat could open the door to new vulnerabilities and risks. These risks can breach the data due to inadequate security controls. So, it's important to know the secondary risks and how to manage them efficiently. 

PMP Certification


Delivered by PMI® Authorized Training Partner

View course

What are Residual Risks?

The risks that persist even after implementing the risk management strategies can be called residual risks. These risks can be difficult to identify and manage, but they're important for any risk management plan.

For example, you're planning a road trip across the country. You've checked your car's oil, packed a spare tire, and even researched the safest routes. You feel confident you've taken all the necessary precautions to ensure a smooth journey. However, there's still a residual risk of encountering unexpected road construction. It can also be unavoidable traffic that could delay your trip and throw off your schedule. This is exactly what signifies residual risks.

Residual risks can be predisposed to various factors such as —

  • Human error 
  • Unforeseen circumstances 
  • External events, etc. 

These can vary in severity ranging from minor inconveniences to major disruptions, thus, making it important to identify and manage the residual risks and minimize their impact on your set plans and goals. It is also crucial to regularly review and update your risk management plan, which includes —

  • Conducting risk assessments 
  • Implementing new risk mitigation strategies
  • Adjusting existing strategies as needed, etc. 

It is a must to remember that risk management is an ongoing process. Moreover, residual risks are a natural part of that process. So, despite putting control measures, residual risks can still linger and pose a significant threat to the success of a project. Understanding and evaluating residual risks ensures appropriate address and mitigation of the risks that can prevent unexpected delays or disruptions in project outcomes. It is further advised to take a step back and conduct a thorough evaluation of residual risks — this is a prudent and professional approach to risk management.

Residual Risk Vs Secondary Risk

The table below explains residual risk vs secondary risk -

GroundsSecondary RisksResidual Risks
DefinitionThese arise as a result of managing an existing risk.These are the risks that persist even after risk management strategies have been implemented
CauseThese can be a result of implementing risk management strategies.These are usually a result of incomplete risk mitigation or the occurrence of unforeseen events.
TimingThese usually occur during the risk management process.These usually occur after the risk management process.
IdentificationThese can be predicted and identified.These are often difficult to predict and identify.
ExamplesImplementation of security measures can cause new vulnerabilities.The risk of delays that occur in project completion due to new regulations.
Mitigation strategiesSecondary risks can be mitigated by adjusting risk management strategies.Residual risks can be mitigated by updating the risk management plan and conducting regular risk assessments; however, these cannot be eliminated.
OutcomeSecondary risks may introduce new risks or complexities. So, these can have a moderate to low impact on the organization.Residual risks can hinder the achievement of goals or objectives. Thus, these have significant consequences, if not managed properly.
Action to takeCreation of a response planCreation of a contingency plan
Related toSecondary Risks are not directly related to the initial risk.Residual Risks are directly related to initial risk.


Consider that a construction company is building a new office building. During the construction process, the project manager identifies the probability of bad weather, which can eventually delay the project schedule. So to mitigate the risk, he implemented a risk management strategy. Since the weather was good, he planned to schedule additional crews to mitigate the risk. However, even with the additional crews working, there was another risk — the risk of worker fatigue resulting in accidents on the job site. Now, to manage this risk, he implemented additional safety protocols and work-hour restrictions. Despite these efforts, the project experienced a delay due to a prolonged heatwave. This delay created a residual risk of increased costs and missed deadlines. These were not anticipated or fully mitigated by the earlier risk management strategies.

Here, the risk of bad weather delaying the project schedule is the primary risk. The risk of worker fatigue due to additional crews working is the secondary risk. This arises as a result of primary risk management. Eventually, the residual risk of increased costs and missed deadlines arises after risk management strategies were implemented and the unexpected heatwave occurred. This example underlines the importance of understanding residual risk vs secondary risk.

PMP Certification

Training Course

98% Success Rate

View course


Residual risk vs secondary risk is quite a common topic. These two are crucial for a project manager to consider while implementing risk management strategies. Many leading companies prefer to hire candidates with PMP training, after all, a skilled professional ensures the best outcomes. Enrol for this certified Pmp Course with 35 PMI Approved PDUs, and PMI® Authorized Instructors and get a 100% Money Back Guarantee and also, access to exclusive job opportunities.


Frequently Asked Questions

Can the residual risk be minimized?

Absolutely. Residual risk can be reduced reasonably by implementing controls to mitigate the risk; however, it cannot be eliminated. 

How is residual risk different from targeted risk?

Residual risk is the risk that remains after considering existing controls. On the other hand, the targeted risk is the level of risk a company is willing to accept to achieve its goals. 

What is meant by risk control?

Risk control is a business strategy that involves identifying potential risks and taking actions to reduce or eliminate them. It aims to minimize the impact of potential losses.

Share the blog

Keep reading about

Card image cap
Project Management
Overview of PMP Certification.
calender05 Jul 2019calender15 mins
Card image cap
Project Management
Why Project Manager should get PMP® Cert...
calender13 Jun 2019calender15 mins
Card image cap
Project Management
What's New in PMBOK 6th Edition
calender20 Jun 2019calender20 mins

We have
successfully served:


professionals trained




sucess rate


>4.5 ratings in Google

Drop a Query

Email Id
Contact Number
Enquiry for*
Enter Your Query*