Residual risk

Short of avoiding a risk altogether, when we come up with a risk response, we are not always able to remove the entire risk.

A classic example is when you take out insurance to cover a risk event.

Let’s say that as a management consultant, you identify the risk that you might unwittingly give out poor advice, leading to you being sued for damages by your client. 

Your probability/impact assessment might determine that. In contrast, the risk of giving bad advice might be low, but the impact of a large damages award against you would be massive – enough to send you bankrupt.

Your response therefore might be to share the financial risk of this event occurring with an insurance agency. 

In the event that someone does sue you, the insurance agency agrees to pay your costs greater than $10,000 to maximum of $10,000,000. 

This type of insurance is relatively common, and is called professional indemnity or professional liability insurance.

The residual risk in this instance is the $10,000 you still have to pay if you are sued while insured, and any sum greater than $10,000,000 – time then for another probability/impact assessment!

The probability of being sued is still the same, but now the impact is only $10,000, which you feel is also low. 

Whereas the impact of any cost award above $10,000,000 may still be massive, you know that the chance of being sued for that much multiplied by the probability of being sued in the first place is really, really, low – so low, it is not worth worrying about.

Therefore, having moved our risk from medium to low, you will probably accept the residual risk, checking occasionally to ensure that your assumptions are still valid.

Residual risk is, therefore, any risk left over or not addressed by your risk treatment. 

It is important that you continue the risk management process with residual risks to the point where they are either eliminated or you are comfortable accepting them.

---

Secondary risk

A secondary risk is a risk created by your risk response.

Let’s suppose you identify that there are too many near-critical paths in your schedule, and that given the uncertainty of some of your time estimates, there is a medium to high probability that your schedule will slip (which means fall behind).

The impact of this would be late delivery of the project, which would upset your client, allowing them to invoke penalty clauses in your contract.

You might, therefore, have a couple of choices.

• You can respond by removing the likelihood that the risk will occur, by assigning more resources to the project. The secondary risk of this – the risk created by your response – will be an increase in costs, which will reduce your profit.
• You could also try to change the consequences of the risk, by negotiating a new delivery date with the client. The secondary risk of this, however, might be a loss of business reputation.

What you need to do then is go back and analyze the two secondary risks – reduced profit and loss of reputation – to determine which is more acceptable to your stakeholders. 

In other words, what is their likely tolerance of the alternatives?

Once again, you could use the probability/impact assessment technique, but if there is no obvious winner, you can consult directly with stakeholders.

See, too, what we meant earlier by choices not being mutually exclusive? 

In this case, you might respond by increasing costs and delaying the schedule by small amounts instead of adopting an all-or-nothing solution.