Every project comes with risks — it’s part of the game. But what happens after you respond to a risk? That’s where residual and secondary risks come into play.
These two types of risk often confuse even experienced project managers. Yet understanding them is critical — not just for passing the PMI-RMP® exam, but for confidently leading complex projects in dynamic environments.
In this guide, you’ll learn:
The clear difference between residual and secondary risks
How to identify and manage both types during the project life cycle
Why documenting these risks is essential for stakeholder trust and project success
What is Residual Risk?
Residual risk is the risk that remains after you’ve implemented a risk response.
Think of it like this: you fix a leaky pipe by wrapping it in tape — it’s better, but not perfect. There’s still a chance of water dripping later. That lingering possibility? That’s your residual risk.
PMI Definition (simplified):
Residual risks are the leftover risks that persist even after mitigation, transfer, or avoidance strategies have been applied.
Example:
If your team mitigates a resource shortage by hiring contractors, you’ve reduced the risk of delay. But the learning curve for new team members might still slow you down slightly. That slower pace? Residual risk.
What is Secondary Risk?
Secondary risk is a new risk that arises because of your risk response.
Using the same leaky pipe example — suppose the tape holds the leak but now causes pressure to build elsewhere in the plumbing. That new burst risk? It’s a secondary risk created by your original fix.
PMI Definition (simplified):
Secondary risks are risks introduced as a direct result of implementing a risk response.
Example:
You mitigate scope creep by automating approvals through a new software tool. But the software introduces a risk of delays due to integration bugs. That’s a secondary risk.
Key Differences: Residual and Secondary Risk
| Aspect | Residual Risk | Secondary Risk |
|---|---|---|
| Origin | Remains after a response | Created by the response itself |
| Timing | Often anticipated and tracked alongside response | Sometimes unforeseen, requires follow-up risk analysis |
| Example | Leftover risk of delay after adding resources | New risk of budget overrun due to added resources |
| Documentation | Goes in the risk register as “remaining exposure” | Goes in the register as a new risk item |
Join the 44Risk PM Email List
Get on the list to receive weekly emails from me and notifications on special courses, webinars, and other announcements throughout the year.
Why These Risks Matter
Tracking both residual and secondary risks is essential for project success and exam success.
For Real-World Projects
Prevent escalation of unmanaged risks
Build credibility with stakeholders by showing awareness of follow-up consequences
Support informed decision-making and contingency planning
For PMI-RMP® Exam Prep
These terms appear frequently in scenario-based questions
You may be asked to identify whether a described risk is residual or secondary
Being able to explain the distinction shows mastery of the risk process facilitation domain
How to Identify Residual and Secondary Risks
Here’s a quick mental checklist:
Is the risk the same one I tried to address, just reduced?
→ That’s a residual risk.
Did a new risk appear only because of my response?
→ That’s a secondary risk.
Make it a habit to perform a post-response risk analysis anytime you implement a risk strategy. Ask:
What remains?
What new threats have we introduced?
Both answers belong in your risk register — with clear ownership and response strategies.
Real-World Project Examples
A large IT project mitigated a cybersecurity risk by implementing multi-factor authentication (MFA).
Residual Risk: Users might still share passwords, keeping some exposure.
Secondary Risk: The added login steps caused user frustration and increased help desk tickets — a brand-new issue introduced by the response.
Key Takeaways
Residual risks = what’s left after you respond.
Secondary risks = what’s created by your response.
Both must be identified, documented, and managed.
Understanding these helps you manage projects more effectively and pass the PMI-RMP® exam.
Ready to Take the Next Step?
Download my free Risk Register Template. Pre-built and ready for you to apply today to your projects.
PMI-RMP® Exam Prep Courses
Looking to Earn the PMI-RMP® Certification? Work with me as I teach virtual-live courses that’ll earn you the 30 contact hours needed to sit for the exam.
About 44Risk PM, LLC
This analysis was prepared by 44Risk PM LLC, specializing in PMI-RMP® and PMP® certification training with a focus on practical, real-world risk management.
Contact:
Russ Parker
PMP®, PMI-RMP®, PMI-ACP®
PMI-ATP Instructor – PMP® & PMI-RMP®
Owner, Forty-Four Risk PM, LLC
Connect with me on Linkedin
Subscribe to my YouTube
“Stay Proactive Over Reactive”
