Project Management Guide
← Back to FAQ

What is Residual Risk?

Residual risk is the amount of risk left over after actions have already been taken to address threats. In project management, it is important to identify any risks that could potentially derail a project. Efforts should be taken to mitigate these risks, including the introduction of security controls to either eliminate a threat completely or reduce its negative impacts. Residual risk is what remains after these controls have been implemented.

A residual risk example could be the use of child-resistant packaging in product development. Here, a medical manufacturer would place a safety cap on every bottle of prescription drugs to reduce the risk of a young child opening the bottle and ingesting the medication. However, this step does not eliminate the threat entirely as there is still a residual risk the child could gain access to the medication inside.

How to calculate residual risk

To calculate residual risk, you can use this simple formula:

 Residual risk = (inherent risk) - (impact of risk controls)

First, you must identify the inherent risk in your project. This includes determining the recovery time, scale of impact, and level of probability associated with this risk. Then, you outline your risk controls. To mitigate threats, you need to evaluate your resources, decide what controls can be put in place, and assign people to related tasks. When these controls have taken effect, and you have determined their impact, you can calculate your residual risk.

Residual risk vs. secondary risk

Secondary risk is a risk that arises as a direct result of an action taken to mitigate an existing threat. Unlike residual risk, it is not related to the initial threat — it is related to the response taken to eliminate this threat.  

For example, a project manager may be employing a UK-based supplier to manufacture and deliver product parts. In the wake of Brexit, the project manager may become concerned about potential delays caused by new regulations, so they switch to a US-based supplier to eliminate this risk. However, this new supplier delivers poor-quality materials, leading to a faulty batch and a product recall that risks the reputation of the organization. The negative outcome of the decision to switch suppliers is a secondary risk.

How to manage residual risk

To manage residual risk in project management, you must first determine if it is at an acceptable level. There will always be an element of risk in any business situation, but a project manager needs to ensure they are doing enough to minimize it. Professional services company Deloitte explains that additional measures must be taken “if existing risk mitigation strategies are insufficient at reducing residual risk to an acceptable level.”

To successfully manage residual risk, keep the following tips in mind:  

  • Boost your security: Control access to your data with enhanced privacy measures such as Wrike Lock. Manage your own encryption keys to control cloud data and reduce privacy risks.
  • Prepare for change: Ensure you have all the tools you need to handle a crisis effectively. Use a business continuity template to create a roadmap to navigate change.
  • Communicate with your team: You may have introduced a strong strategy for risk management, but are your team members following it? Host regular meetings and communicate any project concerns in custom fields to highlight project risk factors.

Learn more about how Wrike’s project management software can help improve your risk management skills.

Further Reading: