A secondary risk is a new risk that didn’t exist before and only appears because you took action to deal with an original risk. It’s the unintended consequence of your risk response. If you hadn’t implemented that response, the secondary risk would never have surfaced.
The concept comes up most often in project management, but it applies anywhere decisions are made to control one problem and inadvertently create another. Understanding secondary risks matters because ignoring them can leave you worse off than the original threat.
How Secondary Risks Differ From Residual Risks
These two terms get confused constantly, but they describe very different things. A residual risk is whatever portion of the original risk remains after you’ve responded to it. You took action, reduced the threat, but some leftover exposure still lingers. A secondary risk is something entirely new, a separate problem born from the response itself.
Think of it this way: you’re worried about flooding in your basement, so you install a sump pump. The residual risk is that some minor water damage could still occur despite the pump. The secondary risk is that the pump’s electrical connection could cause a fire hazard, something that was never a concern before you installed it. Residual risks are managed with contingency plans (accepting what’s left over), while secondary risks require their own dedicated response plans because they’re genuinely new threats that need assessment on their own terms.
A Simple Example
Imagine you’re managing a construction project and identify a risk that your key supplier might deliver materials late. Your response is to hire a second supplier as a backup. That solves the delivery problem, but now you’ve introduced a secondary risk: coordinating two suppliers creates the possibility of receiving incompatible materials, duplicated orders, or conflicting delivery schedules. None of these problems existed when you had one supplier. They exist only because of the action you took.
Another common example: a project team is behind schedule, so the response is to add more people. The secondary risk is that onboarding new team members actually slows things down further in the short term, because existing staff spend time training instead of working. The fix created a new problem.
Secondary Risk in Medicine
The concept extends well beyond project management. In healthcare, treating one condition can generate entirely new health risks, and these follow the same logic as secondary risks in any other field.
Cancer treatment provides some of the clearest examples. Radiation therapy, while effective against a primary tumor, carries a risk of causing a second, unrelated cancer in the treated area. Bone and soft-tissue cancers are the most common ones linked to radiation exposure, but skin, brain, thyroid, and breast cancers can also develop in the radiation field. These cancers wouldn’t have occurred without the treatment itself.
Chemotherapy follows a similar pattern. Certain classes of cancer drugs are associated with the development of secondary leukemia, typically appearing 4 to 7 years after treatment. For other drug types, the timeline is shorter, around 1 to 3 years. The treatment for Hodgkin’s disease illustrates this well: radiation therapy is associated with secondary solid tumors, while the chemotherapy regimens are linked to secondary leukemia. The life-saving treatment is the direct cause of a new, distinct health risk.
Even targeted hormonal treatments can create secondary risks. Medications designed to block estrogen in breast cancer tissue can act as weak estrogen promoters elsewhere in the body, raising the risk of uterine cancer. The response to one cancer becomes the source of risk for another.
When to Identify Secondary Risks
Secondary risks should be evaluated at the moment you design your risk response, not after you’ve already implemented it. Every time you create a plan to avoid, transfer, or reduce a risk, the next step is to ask: “What new problems could this response create?”
In formal project management frameworks like the PMBOK Guide, secondary risks are treated with the same seriousness as primary risks. They get documented in the risk register, analyzed for probability and impact, and assigned their own response plans. Skipping this step is one of the most common mistakes in risk management, because teams focus so heavily on solving the original problem that they don’t examine what their solution might introduce.
The identification process is straightforward. For each planned risk response, walk through the mechanics of implementation and look for new exposures. If you’re outsourcing work to avoid a staffing risk, consider vendor reliability, intellectual property exposure, and communication delays. If you’re adding safety features to a product, consider whether those features introduce complexity that creates new failure points. The goal isn’t to avoid responding to risks altogether. It’s to go in with your eyes open about what your response might cost you.
Managing Secondary Risks in Practice
Once identified, secondary risks follow the same management cycle as any other risk. You assess how likely they are and how much damage they could cause, then decide on a proportional response. Sometimes a secondary risk is minor enough that you simply monitor it. Other times, it’s serious enough to reconsider the original response entirely.
This is where the concept gets recursive, and it’s worth being honest about that. Your response to a secondary risk could, in theory, create yet another secondary risk. In practice, this chain usually stops after one or two levels because each subsequent risk tends to be smaller and more manageable than the last. The important discipline is to check for secondary risks at each level rather than assuming your fix is clean.
Teams that handle this well build secondary risk analysis directly into their planning templates. Rather than treating it as an afterthought, they make it a required field: for every risk response, document at least one potential secondary risk or explicitly note that none were identified. This simple habit catches problems early, when they’re cheapest to address and easiest to prevent.