Risk
Use the register; do not worship the register
A risk register is a living document that records the risk, likelihood, impact, owner, response plan and current status. It is useful because it makes invisible worries visible. It turns “I thought someone was handling that” into “Anna owns this, and the backup supplier is already identified.”
But the register is not magic. A red box on a spreadsheet does not manage anything by itself. Risk scoring is also not objective truth. People guess badly, especially when they are emotionally attached to the project. The value is not in pretending the matrix is scientific. The value is in forcing the conversation before reality does it for you.
The four-step risk habit
Risk management can be kept simple.
First, identify the risks. Ask: what could go wrong, what could change, who could block this, what are we assuming, and where are we most exposed? Talk to the people closest to the work, not only the people managing it. Frontline staff and volunteers often see problems earlier than leadership does.
Second, assess the risks. A simple risk matrix is enough for most small projects. Score each risk for likelihood and impact from 1 to 5. A low-likelihood, low-impact risk can be watched. A high-likelihood, high-impact risk needs action.
Third, choose a response. You can avoid the risk by changing the plan, transfer it through insurance or contracts, reduce it by taking preventive action, or accept it if the cost of preventing it is greater than the risk itself. Not every risk deserves a dramatic intervention. Some just need a sensible owner and a backup plan.
Fourth, review it regularly. Risks change as the project moves. A supplier delay that was minor in week one may become catastrophic in week six. A funding uncertainty may disappear. A new stakeholder may create a new risk. The register should move with the project.
Planning for misbehaviour
Risk management is not pessimism. It is the part of planning where you stop pretending the plan will behave.
Every project starts with a story about how things are supposed to go. The grant arrives on time. The supplier delivers. The volunteer stays involved. The website works. The committee makes a decision before the deadline. Lovely. Unfortunately, projects have a habit of developing personalities.
For small businesses and charities, risk often gets managed informally. People keep concerns in their heads, mention them casually in meetings, or assume they will “deal with it if it happens.” That can work for very small tasks. It does not work when money, reputation, public trust, compliance, clients, volunteers, or deadlines are involved. At that point, risk management is not bureaucracy. It is basic self-defence.
Risk is not the same as a problem
A risk is something that might happen and could affect the project. An issue is something that is already happening. A constraint is something you already know you are stuck with.
A risk might be: “Our main volunteer coordinator may become unavailable during the campaign.”
An issue is: “Our volunteer coordinator has left.”
A constraint is: “We only have €2,000 and the event must happen before the end of June.”
This difference matters because risks give you time to prepare. Issues demand action. Constraints shape what is possible from the start. Mixing them together creates fog, and fog is where bad project decisions go to breed.
Why small organisations get caught out
Small organisations usually do not ignore risk because they are careless. They ignore it because they are busy, under-resourced and trying to keep the thing alive. In a charity, the same person may be dealing with funding, volunteers, reporting and delivery. In a small business, the person managing the project may also be serving customers, chasing invoices and fixing the printer because apparently that is their destiny now.
The danger is that informal risk management depends on memory, optimism and whoever happens to be paying attention. It also hides ownership. Everyone vaguely knows there might be a problem, but nobody is clearly responsible for watching it, reducing it, or deciding when it becomes serious.
That is how a manageable risk becomes a crisis with better lighting.
The risks worth looking for
Most project risks in small organisations fall into a few predictable categories.
Financial risks include funding gaps, cost overruns, late payments, weak sales, or a project that quietly becomes more expensive than anyone wants to admit.
People risks include volunteer dropout, staff absence, unclear roles, weak leadership, or one over-reliable person becoming the entire project infrastructure.
Supplier and technical risks include delayed materials, system failures, website problems, poor-quality external work, or depending on a tool nobody fully understands.
Stakeholder risks include slow approvals, committee disagreement, user backlash, reputational damage, or a client changing their mind after everyone has already built the thing.
Compliance and legal risks include data protection, health and safety, insurance, contracts, safeguarding, accessibility and any other area where “we didn’t realise” is not a strategy.
The point is not to become paranoid. The point is to look directly at the obvious failure points before they become expensive.
Strategy is not planning
Strategy, planning, implementation and governance are related, but they are not the same thing.
Strategy chooses the direction. Planning works out the route, resources, timeline and responsibilities. Implementation does the work. Governance checks whether the work still makes sense, still has authority, and still deserves support.
Confusing these creates trouble. A detailed plan is not a strategy. A busy organisation is not necessarily a strategic one. A project delivered on time can still be the wrong project. That is the uncomfortable part people often avoid: good execution does not rescue a bad choice. It just delivers the mistake more efficiently.
Choose what not to do
A useful strategy creates focus. It says yes to some things and no to others. This is where many small organisations struggle, especially charities and mission-led businesses. When the cause matters, every opportunity can feel morally important. Every grant looks tempting. Every partnership seems worth exploring. Every service gap feels like something you should fix.
But saying yes to everything is not generosity. It is strategic self-harm.
A charity that chases every available funding stream may end up running projects that do not fit its mission, confuse staff, exhaust volunteers and make the organisation harder to explain. A small business that copies every competitor may lose the thing that made it distinctive. A team that keeps adding initiatives without stopping anything is not becoming more ambitious. It is building a museum of unfinished intentions.
Strategy requires trade-offs. What will you not do? Which customer or beneficiary will you prioritise? Which projects will you pause? Which “nice idea” does not deserve resources right now?
The strategy is often hidden in the no.
Tools to use
Use to track the main risks, owners and responses.
Use to prioritise what needs attention now and what can simply be monitored.
Risk Severity Matrix
Use to look at financial, people, technical, supplier, stakeholder and compliance risks before the project starts.
Risk Identification Brainstorming Sheet
“Every decision is risky: it is a commitment of present resources to an uncertain and unknown future.”
— Peter Drucker
Recommended reading & sources
Hillson, D. – Managing Risk in Projects
A practical project risk guide that explains how to identify, assess and respond to uncertainty without turning risk management into empty paperwork.
Project Management Institute – A Guide to the Project Management Body of Knowledge (PMBOK Guide)
A widely used project management reference for understanding how risk fits into planning, scope, time, cost, quality and resources.
AXELOS – Managing Successful Projects with PRINCE2
Useful for simple risk response thinking, especially the basic choices to avoid, reduce, transfer or accept a risk.
Hess, E.D. – “The Risks of Risk Management”
Helpful for understanding why risk processes can become too predictable, and why teams still need judgement, curiosity and uncomfortable questions.
Meredith, J.R., Shafer, S.M. & Mantel, S.J. – Project Management: A Managerial Approach
A solid project management textbook for linking risk to real project constraints, trade-offs and decision-making.
Tummala, V.M.R. and Schoenherr, T. – “Assessing and Managing Risks Using the Supply Chain Risk Management Process”
Useful for thinking about supplier delays, external dependencies and operational risks, especially where small organisations rely on partners or contractors.