Every project carries a degree of risk, whether tied to operations, finances, security, or compliance. Project managers develop detailed mitigation plans to minimize exposure, but some risks remain even after every control has been applied.
Take cybersecurity, for example. You might implement firewalls, endpoint protection, employee training, and multi-factor authentication. Yet, a third-party audit might still flag the possibility of phishing attempts or zero-day attacks slipping through. These are residual risks, the threats that persist after all known mitigation efforts are in place.
Residual risks are not a result of poor planning. They’re a natural outcome of working in complex, evolving environments. The challenge is not just identifying them, but evaluating their potential impact and building a plan to manage them proactively.
So what exactly is a residual risk? How do you quantify it, and what factors make it more likely to affect your project outcomes? In the next sections, we’ll break down how to calculate residual risk, identify its drivers, and adopt practical methods to keep it under control. But first, let’s define it clearly.
What is a residual risk?
Residual risks are the remaining threats that persist after implementing a risk response strategy.
For example, your QA team may attend training sessions for a new project management tool. Testing may still be delayed due to a learning curve, even after training. However, the risk is much lower. You accept this residual risk.
Some practitioners mistakenly use “inherent risk” and “residual risk” interchangeably, although the two refer to different stages of the risk management process. However, they are not the same. In simple terms, inherent risk is the risk before any controls are applied, while residual risk is what remains after those controls are in place.
How to explain residual risk?
It can be a challenge to explain residual risks to decision-makers who lack a technical background.
So, how do you explain them?
Start by breaking it down into three key parts:
- What the original risk was
For example: “There’s a risk of data breaches during client onboarding.”
- What controls have been put in place
Like: “We’ve introduced two-factor authentication and encryption for all data.”
- What’s still left despite those controls
Then say: “Even with these security steps, there’s still a small risk if an attacker finds a new way to break in. That’s the residual risk.”
This is a straightforward structure to explain residual risk without sounding too technical.
Remember:
- Always use a residual risk example from your project or industry to make your point more relatable.
- Clearly explain how residual risk is not a sign of failure but rather an acceptance of the reality that no system is 100% safe or perfect.
When teams grasp this concept, they’re better equipped to respond when unexpected issues arise.
Factors influencing residual risk
Residual risk depends on several elements, such as inherent risk, control measures, and external factors like regulatory changes and market volatility. Here are some common aspects that influence an organization’s risk tolerance.
1. Inherent risk level
As we previously discussed, inherent risk and residual risk are not the same. Inherent risk in a project refers to the level of risk that exists naturally within a project or its environment, before any risk management or control measures are implemented. It’s often considered the baseline risk embedded in your project’s environment, industry, or process type.
For instance, constructing a bridge over a river inherently carries environmental risks, even before any planning or mitigation begins.
2. Risk controls
Control measures are implemented to reduce both the likelihood and impact of identified risks. Using firewalls to protect data and safety gear to avoid workplace injuries are perfect examples of risk controls.
Even strong controls have limitations and may not eliminate risk entirely
- Strong, updated controls = less residual risk
- Weak, outdated controls = higher residual risk
Even a well-documented quality measure might fail if lab equipment is not calibrated on schedule.
3. Human error
Even in well-controlled environments, human error remains a consistent source of residual risk. There is always a chance that you may skip a step, misread instructions, or simply overlook a risk in high-pressure or repetitive environments.
For instance, your highly trained project manager sends sensitive client data to the wrong email address during a busy shift. That momentary lapse led to a data breach. This is a classic example of residual risk due to human error.
4. External factors
External factors, such as regulatory changes, economic instability, or natural disasters, can create new vulnerabilities that internal systems are not equipped to handle. Even with strong controls in place, these unpredictable influences persist and contribute to your residual risk.
For instance, an updated GDPR requirement can quickly introduce residual risks, even if your internal code is flawless.
5. Speed of response
Residual risk is also influenced by how quickly your team responds to internal or external threats. Delays in action can amplify impact, whereas swift, coordinated responses can contain or mitigate risk. So besides planning, your preparedness also counts in minimizing residual risks in project management.
For instance, your logistics team spots a supply chain issue. If they take too long to reroute deliveries from a backup supplier, the entire project could face delays, increasing your residual risk.
Understanding these factors helps you perform a smarter residual risk calculation and make better decisions for your projects.
How do you calculate residual risk?
To calculate residual risk, you need to identify risks and rate them based on their likelihood and degree of impact.
Here is a step-by-step process to follow for residual risk calculation.
Step 1: Identify the inherent risks – List all potential risks that could impact your project before any controls are applied.
Step 2: Assign likelihood – For each risk identified in Step 1, evaluate the probability of the risk occurring on a scale of 1-10.
Step 3: Assign impact – For each identified risk, evaluate the potential damage or disruption it could cause on a scale of 1-10.
Note:
You can use a three-point or a five-point scale to assign a total score to each risk in steps 2 and 3. However, ensure to use the same scale for both.
Step 4: Calculate risk score – If the likelihood of Risk X is five and the potential impact is two, your total risk score would be ten.
By doing this for every risk factor identified in step one, you will gain insight into which risks will have a severe impact on your business.
This simple approach to residual risk calculation helps you plan better and prepare for anything that could go wrong, even after taking necessary measures.
The next step is to manage residual risks effectively to prevent disruptions or negative impacts on your project.
Methods to manage and mitigate residual risk
To deal with residual risk, organizations typically apply one or more of the following approaches.
1. Accept the risk (When it’s low)
All residual risks should be evaluated, but not every risk demands a response. If the likelihood is low and the potential impact is minimal, it may be more practical to accept the risk rather than allocate resources to mitigate it.
For instance, if you’re launching a mobile app, there is a very small risk that it might crash on outdated device models used by only 1% of your target audience. It’s better to accept the risk and monitor user feedback rather than spend time and money fixing a rare issue.
2. Add extra controls
If the residual risk is still high, you can introduce extra safety measures to reduce its effect even more.
For example, on a construction site, there’s still a chance that tools might fall from above, even after standard safety measures are followed. To manage this residual risk, project managers can expand the restricted zones below the work area, reducing the chance of injury and bringing the risk to an acceptable level.
3. Transfer the risk
Interestingly, you can transfer the responsibility of your project’s residual risks to a third party, such as an insurance entity or an outsourcing agency. This doesn’t eliminate the risk entirely, but it helps reduce its impact on your business.
That’s why organizations go for event insurance or hire an event agency while planning a corporate event. If things go wrong, like bad weather, the burden isn’t fully on you.
4. Build a response plan
Even after applying every possible control, some high-impact residual risks may remain. In such cases, the best course of action is to develop a detailed response plan in advance. This plan should clearly outline the steps to take if the risk materializes, including who is responsible and the time frame for executing actions to minimize damage.
For example, if your company faces a phishing attack, your response plan should include:
- Assigned members of the incident response team
- A data breach checklist with clear steps
- Automated alerts for suspicious activity
- A backup system that can be activated without delay
Building a response plan often involves gathering input from multiple departments, including product, engineering, IT security, and legal. Without a structured system in place, this process can quickly become fragmented and inefficient.
That’s why it’s important to use a collaborative platform that allows teams to contribute, vote, and align on priorities in one place. A product roadmap helps plan features and is also a powerful tool for organizing and finalizing contingency plans.
The Product Roadmap & Idea Portal for JSM helps centralize communication, streamline stakeholder input, and accelerate decision-making, so your response plans are actionable and ready when needed.
Real-world examples of residual risk
To better understand residual risk, consider these practical scenarios where some level of risk remains despite best efforts.
Residual risk example: Car insurance depreciation
A brand-new car begins to depreciate the moment it leaves the dealership. If it’s totaled in an accident, your insurance payout may reflect the car’s current market value, not the full amount you paid. The residual risk here is the financial gap not covered by insurance, despite having a comprehensive policy.
Residual risk example: Cloud cybersecurity threats
Let’s say you are using cloud computing for cost savings and flexibility. However, it exposes your sensitive data to cyber threats due to the shared responsibility model with cloud service providers. Even if you are using firewalls, antivirus software, and secure passwords to protect data, there’s still a chance of a data breach, maybe through phishing or a new kind of attack. This remaining vulnerability, even after applying all known controls, represents the residual risk.
Conclusion
Residual risks are most likely to be identified after risk treatment measures have been implemented. So, its management comes down to the organization’s willingness to adjust to an acceptable level of risk at any given scenario.
Begin by identifying the key factors that influence residual risk. These factors can include the strength and outdatedness of your current controls, the likelihood of human error in day-to-day operations, and unpredictable external events such as market shifts or policy changes. Once you have a clear picture, assess each risk in terms of both its potential impact and likelihood. Based on this evaluation, decide whether the risk is acceptable as-is, needs to be transferred to another party (like through insurance or outsourcing), or requires a detailed response plan.
Most importantly, managing residual risk isn’t a solo effort. It requires strong collaboration across teams, where everyone understands their role and works together to respond quickly and effectively.
FAQs
1. How to evaluate overall residual risk?
To evaluate overall residual risk, list all possible dangers, apply control measures and then assess what risks remain. Look at how likely each risk still is and what its impact could be after controls are in place.
2. What is the residual risk factor?
The residual risk factor shows how much risk is still there after you’ve tried to reduce it. It helps you determine whether the remaining risk is acceptable or if further action is required to ensure your project’s safety.
3. What is the residual risk assessment methodology?
This method involves finding the original risk, applying control steps, and then checking what risks are left. It uses scoring or simple formulas to measure the leftover risk and helps you decide the next steps for your project.
4. What is the formula for calculating residual risk?
You can calculate residual risk using this formula: Residual risk = Inherent risk – Impact of controls. It tells you how much risk remains even after you’ve put controls in place to lower or remove it.