Tired of procurement pain? Our AI-powered platform automates the painful parts of identifying, qualifying, and responding to Canadian opportunities so you can focus on what you do best: delivering quality goods and services to government.
Residual Risk
Residual Risk is the level of risk remaining after risk response measures have been implemented, essential for deciding the acceptability of proceeding with a procurement.
Every procurement carries risk, no matter how carefully you plan. What matters is understanding what's left after you've done everything reasonable to protect your project. That's where residual risk comes in—it's the exposure that remains even after you've implemented your mitigation strategies, and it determines whether you can actually proceed with confidence.
How It Works
Think of it this way: you identify a risk that your supplier might not deliver on time. You build in contract penalties, require progress reports, and establish backup vendors. Good work. But some chance of delay still exists—that's your residual risk. The CIHR Risk Management Guidelines describe this formally as the level of risk remaining after controls have been applied, and they require you to classify it as high, medium, or low based on your organization's tolerance.
Here's the thing: you can't eliminate every risk. Trying to do so would paralyze procurement entirely. Your job is to determine whether what remains falls within acceptable bounds. The Harmonized Threat and Risk Assessment Methodology, issued by the Canadian Centre for Cyber Security, provides a structured approach for this assessment. You document the original risk, detail your risk response measures, then evaluate what's left. If that residual level exceeds your tolerance, you need additional controls or you don't proceed.
In practice, federal departments handle this through formal documentation requirements. The CIHR guidelines specify that your response to residual risk must be documented and communicated to all necessary parties—not just filed away. This means briefing decision-makers, updating risk registers, and ensuring contracting authorities understand what they're accepting when they sign off. PSPC applies these principles across its procurement activities, though the Supply Manual doesn't provide specific residual risk thresholds, leaving that determination to individual program areas based on their risk appetite.
Key Considerations
Tolerance varies by context: A medium residual risk might be acceptable for office supplies but unacceptable for mission-critical IT systems. Define your organization's tolerance level upfront, not after you've calculated what remains.
It changes over time: Your residual risk assessment isn't static. As project conditions shift or new information emerges, what seemed acceptable at contract award might become problematic during execution. Regular reassessment matters.
Documentation is mandatory: Federal policy requires formal records of how you assessed residual risk and who accepted it. This protects you during audits and provides institutional knowledge for future procurements.
Senior approval may be required: High residual risk typically needs sign-off from executives or Treasury Board, depending on your delegation of authority. Don't assume you can accept significant exposure on your own.
Related Terms
Risk Response, Risk Register, Risk Assessment
Sources
The question isn't whether residual risk exists—it always does. The question is whether you've identified it, documented it properly, and gotten the right level of approval before moving forward.
Share
Stop wasting time on RFPs — focus on what matters.
Start receiving relevant RFPs and comprehensive proposal support today.