Risk

Most managers in small Irish businesses and charities know the word risk mainly through the panicky version of it, the sleepless 3am thought, the WhatsApp message at the weekend, the funder asking for a "risk register" you don't quite have. But risk, in the project management sense, is something tamer. It's the systematic study of what could go wrong (and what could go unexpectedly right) so that fewer things actually do. This page is about turning that fuzzy anxiety into something you can name, rank, and act on.

Why it matters

A worry is something that nags at you. A problem is something that has already happened. A risk sits between the two: an event that hasn't happened yet, might or might not happen, and would matter if it did. Project management treats risks as the central currency of planning, because every project is, by definition, an attempt to do something that hasn't been done in exactly that way before. The whole craft is about making the unknown a little less unknown.

For Irish SMEs and charities the stakes are unusually concentrated. A team of five doesn't have the bench depth of a team of fifty. One key supplier's collapse, one ransomware email opened by an exhausted volunteer, one funding cycle missed, these are not minor wobbles, they're potentially terminal. Yet the same lean structure that makes risk dangerous is also what makes formal risk management feel unaffordable. The trick is doing risk well cheaply, which is mostly about discipline and conversation rather than fancy software.

Core concepts

Modern risk management rests on a few ideas that are stable across frameworks. The international standard ISO 31000:2018 defines risk as "the effect of uncertainty on objectives", a deliberately neutral phrase that captures both threats and opportunities (ISO, 2018). David Hillson, widely known as the Risk Doctor, reframes this more memorably as "uncertainty that matters" (Hillson, 2019). Notice the two halves: it has to be uncertain (not yet certain to happen) and it has to matter (capable of affecting your objectives). A meteor strike is uncertain but, day-to-day, doesn't matter; tomorrow's commute matters but isn't very uncertain. Risks live in the overlap.

The standard process, drawn from ISO 31000 and the Project Management Institute's Standard for Risk Management in Portfolios, Programs, and Projects, runs in five repeating moves: identify the risks, analyse them (how likely, how severe?), evaluate which deserve attention, treat them, and monitor whether your treatments are working (PMI, 2019; ISO, 2018). Underneath those moves sit eight ISO principles, risk management should be integrated, structured, customised, inclusive, dynamic, evidence-based, attentive to human factors, and continually improved (ISO, 2018). For a small organisation, customised is the principle that earns its keep: a five-person charity does not need a forty-tab spreadsheet.

A useful way to sort risks before you treat them comes from Robert Kaplan and Anette Mikes' Harvard Business Review article Managing Risks: A New Framework. They argue that organisations habitually lump everything into one register and then apply the same compliance-style controls. That's a mistake, because risks come in three qualitatively different kinds. Preventable risks arise from inside the organisation, employee error, fraud, operational mistakes, and should be driven as close to zero as possible through rules and training. Strategy risks are taken on deliberately in pursuit of returns, entering a new market, launching a programme, and need open debate, not rules. External risks lie beyond the organisation's control, a recession, a pandemic, a regulatory shift, and need scenario thinking and resilience rather than prevention (Kaplan and Mikes, 2012). A register that treats all three the same is a register that misleads its readers.

The practical artefact most teams end up with is the risk register itself, usually a simple table: a description of each risk, its likelihood, its impact, the resulting exposure, the owner, and the planned response. Hillson identifies four standard responses to threats, avoid, transfer, mitigate, accept, and a parallel set for opportunities: exploit, share, enhance, accept (Hillson, 2009). The point of the register isn't the document; it's the conversation that produces it.

The Irish context

The most expensive case study in modern Irish risk management is the Health Service Executive ransomware attack of May 2021. A phishing email opened on a single workstation in March allowed the Russia-linked Conti group to move laterally through the network, deploy malware, and on 14 May trigger a ransomware payload that shut down the HSE's national IT systems (HSE, 2024). A subsequent PwC review found a "frail" IT estate with unpatched computers, outdated antivirus, and a level of cybersecurity maturity that had been known to be low for years and had nonetheless been allowed to persist (Irish Times, 2024). The direct cost was estimated at €102 million, with the Comptroller and Auditor General warning that a further €657 million would be needed over seven years for security upgrades (RTÉ, 2025). Nearly 91,000 people had personal data accessed.

The HSE case is dramatic because the HSE is huge, but the risk profile is not unique to large state bodies. The 2025 SME Cyber Resilience report, produced by Munster Technological University with the National Cyber Security Centre, scored Irish SMEs at an average of just 3.3 out of 10 on cyber resilience, with most lacking formal incident response plans, regular backups, or multi-factor authentication (MTU and NCSC, 2025). PwC's 2025 Digital Trust Insights survey put it more sharply still: only around 28% of Irish organisations describe their cyber resilience as robust (PwC Ireland, 2024). The gap between knowing risks exist and being prepared for them is wide, and it sits squarely in the lap of small organisations that assume, wrongly, that they're too obscure to be a target.

For charities the regulatory pressure is more explicit. The Charities Governance Code, which all registered Irish charities must comply with annually, dedicates its fourth principle, Exercising Control, to identifying legal, financial, and operational risks and putting controls in place to manage them (Charities Regulator, 2018). Trustees are personally accountable. The Wheel and the Charities Regulator both publish dedicated guidance on financial controls, safeguarding, and crisis management (The Wheel, 2024; Charities Regulator, 2024). What's notable for small charities is that the Code is explicitly proportionate: a volunteer-led organisation isn't expected to have a dedicated risk officer, but it is expected to have had the conversation, made decisions, and written them down.

Common pitfalls

Three patterns quietly sink small organisations. The first is risk theatre, producing a register because a funder asked for it, then never opening it again. A live register is reviewed at every board or management meeting; a dead one is a Word document last edited the day before the audit. The second is anchoring on the dramatic. Teams under-rate boring, frequent risks (a key staffer leaving, a payroll error, an expired insurance policy) and over-rate cinematic ones (a flood, a scandal in the press). Hillson calls this risk myopia (Hillson, 2014). Most failed projects die from accumulated paper cuts, not single dramatic blows. The third is ignoring opportunities. Both ISO 31000 and PMI explicitly include positive uncertainty in the definition of risk, but in practice most registers list only threats. A team that never asks "what could go unexpectedly well, and how would we ride that wave?" leaves real value on the table.

Watch / Listen / Read

Watch, How good are you at calculating risk? by Gerd Gigerenzer (TED-Ed, ~5 min). A short, sharp lesson on the difference between absolute and relative risk, and why most of us misread the numbers we're given. Available at https://www.ted.com/talks/gerd_gigerenzer_how_good_are_you_at_calculating_risk.

Listen, Managing Risk, an episode of PMI's Projectified® podcast featuring Dr David Hillson and Mohamad ElHelaly. Hillson, a PMI Fellow and author of more than a dozen books on risk, explains how to think about risks for which there's no historical playbook. Available at https://www.pmi.org/learning/training-development/projectified-podcast/podcasts/managing-risk.

Read, Kaplan, R.S. and Mikes, A. (2012) 'Managing Risks: A New Framework', Harvard Business Review, 90(6), pp. 48–60. The three-category model, preventable, strategy, external, and why one register can't cover all three. Available at https://hbr.org/2012/06/managing-risks-a-new-framework.

Quick quiz

1. ISO 31000 defines risk as the effect of uncertainty on what?
2. In the Kaplan and Mikes framework, into which three categories should risks be sorted?
3. Which principle of the Irish Charities Governance Code most directly addresses risk management?
4. Name two of the four standard responses to a threat in PMI's risk methodology.
5. Roughly what share of Irish organisations described their cyber resilience as "robust" in PwC's 2025 Digital Trust Insights survey?

Answers: (1) Objectives. (2) Preventable, strategy, external. (3) Principle 4, Exercising Control. (4) Any two of: avoid, transfer, mitigate, accept. (5) Around 28%, or less than one in three.

References

Charities Regulator (2018) Charities Governance Code. Dublin: Charities Regulator. Available at: https://www.charitiesregulator.ie/en/information-for-charities/charities-governance-code (Accessed: 27 April 2026).

Charities Regulator (2024) Guidance documents for charity trustees. Available at: https://www.charitiesregulator.ie/en/information-for-charities/guidance-documents (Accessed: 27 April 2026).

Hillson, D. (2009) Managing Risk in Projects. Farnham: Gower.

Hillson, D. (2014) The Risk Doctor's Cures for Common Risk Ailments. Vienna, VA: Management Concepts.

Hillson, D. (2019) Capturing Upside Risk: Finding and Managing Opportunities in Projects. Boca Raton, FL: Taylor & Francis.

Health Service Executive (2024) Cyber-attack and HSE response. Available at: https://www2.hse.ie/services/cyber-attack/what-happened/ (Accessed: 27 April 2026).

International Organization for Standardization (2018) ISO 31000:2018 Risk management, Guidelines. Geneva: ISO.

Irish Times (2024) 'HSE cyber attack: More than 470 legal proceedings issued against health service after ransomware hit', 14 May. Available at: https://www.irishtimes.com/health/2024/05/14/hse-cyber-attack-more-than-470-legal-proceedings-issued-against-health-service-after-ransomware-hit/ (Accessed: 27 April 2026).

Kaplan, R.S. and Mikes, A. (2012) 'Managing Risks: A New Framework', Harvard Business Review, 90(6), pp. 48–60.

Munster Technological University and National Cyber Security Centre (2025) SME Cyber Resilience: State of the Sector 2025. Cork: MTU. Available at: https://cybersafety.ie/wp-content/uploads/2025/12/SME-Cyber-Resilience-State-of-the-Sector-2025.pdf (Accessed: 27 April 2026).

Project Management Institute (2019) The Standard for Risk Management in Portfolios, Programs, and Projects. Newtown Square, PA: PMI.

PwC Ireland (2024) 2025 Digital Trust Insights, Ireland findings. Available at: https://www.pwc.ie/media-centre/press-releases/2024/global-digital-trust-insight-survey.html (Accessed: 27 April 2026).

RTÉ News (2025) 'HSE offering €750 compensation to cyberattack victims', 9 December. Available at: https://www.rte.ie/news/ireland/2025/1209/1548056-hse-cyberattack-compensation/ (Accessed: 27 April 2026).

The Wheel (2024) Charities Regulator: guidance and resources. Available at: https://www.wheel.ie/advice-guidance/managing-your-organisation/regulation/charities-regulator (Accessed: 27 April 2026).