About Us
Site Map
PMP® Certification
PM Tips & Tricks
PM Tools & Techniques
Contact Us



This page is devoted to news, tips, and any other information the Project Management community may find useful or interesting.

Residual Risk

Most of us in the IT industry are used to calculating our risk probability and impact scores when the risk is first identified and that's the score the accompanies the risk event throughout all our reporting. We may go one step further and calculate a dollar cost or effort cost for the risk event (though rarely), but that initial score is the one that will accompany the risk throughout the project and it's the one we report on. The scores we're reporting are those of the unmitigated risk. In the case of risks which we accept, this is appropriate but when we devise and deploy a strategy to mitigate the risk, it is not the only score that is relevant.

Just as important as the score of the unmitigated risk is it's score after we devise the mitigation strategy. This is probably more important than the original score after implementation of the mitigation strategy because it's the one that measures the effectiveness of the strategy. This score is called the residual risk.

The objective of mitigation is to avoid the risk, in which case the residual risk would be 0, reduce it's probability, or its impact. How much we succeed in reducing probability and/or impact will determine the residual score and this score should be less than the PI score we have set for the project. If it isn't, we should continue to investigate possible strategies until we find one that does reduce it below the threshold. We also need to revisit the strategy periodically to determine its current effectiveness. Assessing the effectiveness of the strategy should be done by evaluating the probability and impact of the risk event based on the mitigation strategy and the current state of affairs of the project. The residual score should be less than the threshold. If it isn't, you will have to explore new strategies.

We should also report the amount of residual risk when reporting on risk to the project. Reporting on risk as though it were unmitigated is misleading. If the scores are the same as they were before mitigation, what was the risk budget spent on? Risk management requires a budget, mitigation strategies cost money. The justification for that spend should be a business case where the benefits exceed the cost. The cost is the cost of the mitigation strategies for the project. The benefit is the amount of risk reduction (reduction = initial PI - residual PI). Reporting to your project in this way will tell them what they are getting for their money. Reporting on the residual risk will inform your stakeholders of how much risk the project is exposed to. Including the threshold for the project will tell them that project risk is being managed as planned (providing all risks are below the threshold). Where there are risks not below the threshold, you need to provide an explanation or plan.

Login or Sign up to post comments.