Topic 7.8: Secondary residual risk
A classic example is when you take out insurance to cover a risk event.
Let’s say that as a management consultant you identify the risk that you might unwittingly give out poor advice, and that leads to you being sued for damages by your client.
Your probability / impact assessment might determine that, whereas the risk of giving bad advice might be low, the impact of a large damages award against you would be massive – enough to send you bankrupt.
Your response therefore might be to share the financial risk of this event occurring with an insurance agency.
In the event that someone does sue you, the insurance agency agrees to pay your costs greater than $10,000 up to $10,000,000.
This type of insurance is fairly common, and is called professional indemnity or professional liability insurance.
The residual risk in this instance is the $10,000 you still have to pay if you are sued while insured, and any sum greater than $10,000,000 – time then for another probability / impact assessment!
The probability of being sued is still the same, but now the impact is only $10,000 which you feel is also low.
Whereas the impact of any cost award above $10,000,000 may still be massive, you know that the chance of being sued for that much multiplied by the probability of being sued in the first place is really, really, low – so low, it is not worth worrying about.
Therefore, having moved our risk from medium to low, you will probably accept the residual risk, checking occasionally to ensure that your assumptions are still valid.
Residual risk is therefore any risk left over or not addressed by your risk treatment.
It is important that you continue the risk management process with residual risks to the point where they are either eliminated or you are comfortable accepting them.
Let’s suppose you identify that there are too many near critical paths in your schedule, and that given the uncertainty of some of your time estimates, there is a medium to high probability that your schedule will slip (which means fall behind).
The impact of this would be late delivery of the project which would upset your client, allowing them to invoke penalty clauses in your contract.
You might therefore have a couple of choices.
You can respond by trying to remove the likelihood that the risk will occur, by assigning more resources to the project.
The secondary risk of this – that is, the risk created by your response – will be an increase in costs, which will reduce your profit.
You could also try to change the consequences of the risk, by negotiating a new delivery date with the client.
The secondary risk of this, however, might be a loss of business reputation.
What you need to do then is go back and analyse the two secondary risks – reduced profit and loss of reputation – to determine which is more acceptable to your stakeholders.
In other words, what is their likely tolerance of the alternatives?
Once again you could use the probability / impact assessment technique; but if there is no obvious winner, you can consult directly with stakeholders.
See too what we meant earlier by choices not being mutually exclusive?
In this case you might respond by increasing costs and delaying the schedule by small amounts, instead of adopting an all-or-nothing solution.