Small Grants Guide cover image

Chapter 8: What could go wrong? Risk management

Chapter contents

8a. Planning for what can go wrong as you design your project

Projects, like most aspects of life, are shaped by uncertain events. A saying common among project development professionals describes the importance of considering uncertainty in project design: If your project does not manage uncertainty, uncertainty will manage your project. In other words, to a certain degree your project’s success or failure will depend on its ability to manage uncertainty. Managing uncertainty is a key consideration for funders in evaluating project proposals, and so it is the focus of this chapter.

Uncertain factors or elements that could affect a project are referred to as risks. Project-relevant risks come in two basic types. The first type is uncertain events or conditions that, if they occur, have an effect1These effects can be negative (threats) or positive (opportunities), but our primary focus here is on the risks that could negatively affect the achievement of the project’s objectives. on the project’s ability to achieve its objectives (risks to the project). The second type is ways that the project could negatively impact the people and place where the project is being implemented (risks caused by the project). More simply, risks can be thought of as things that could go wrong. Risks can occur at any time during the project.

What is risk management?

Risk management is a systematic process of identifying, analyzing, and responding to both types of project risk. It can be thought of as the process of efficiently and effectively managing the uncertainties associated with a project. In all cases, project funders will expect you to consider risks that might affect your project and plan for managing those risks.

In general, it is best to deal with risks at the design stage of the project, as you have more flexibility at this stage and it is much less expensive to address risks before they actually occur. This is why funders are so attentive to risk management in project proposals. In many cases, you can address a risk simply by changing the design of the project. As you move from the design stage into implementation, your ability to manage risk generally decreases, and the costs of managing risks tend to increase. In other words, preventative risk-management strategies tend to cost less than reactive risk management.

In many cases, funders have standard policies and procedures for managing risks caused by projects. This is particularly true for small grants mechanisms funded by the GCF and the Adaptation Fund, as these grant programs have to follow the requirements of the donor who provides their funds. Safeguards are policies designed to ensure that funded projects have minimal negative impact on ecosystems, people (including indigenous people, women, PWDs, migrants, minorities, and children), cultural resources, and so forth. Screenings are tools used to review project ideas and concepts to determine what, if any, measures need to be taken to address these potentially negative impacts. Screenings are done to ensure that projects are in compliance with all safeguards.

Your funder’s safeguards policies and screening tools will most likely be described in the application package. In addition to the funder’s screening tools, you should also try to anticipate additional risks to your project. The main purpose of the safeguards and screenings is to prevent negative impacts from being caused by the project; safeguards and screenings normally do not address risks to the project.

The types of outside risk that may affect a project vary depending on a wide range of factors, including the size of the project (both in terms of budget and scope of activities), the location of the project, the types of activities to be undertaken, the way the project is implemented, and the stakeholders involved in the project’s implementation. Some projects have more risks than others. For example, projects that involve construction generally have more risks than projects that focus solely on capacity development or institutional strengthening.2Projects that involve construction and similar activities are often referred to as “hard” projects, whereas those that involve capacity development, institutional strengthening, policy/regulatory work, curriculum design, extension services, and similar activities are “soft” projects.

How to address risk

Along these lines, how risks are managed depends on the nature of the risk; different risks may be handled in different ways. Some common ways of addressing risks include:

  • Avoid: This involves eliminating the cause of the risk. In the case of small grants, the project should be designed in a way that avoids most risks.
  • Mitigate: This involves taking measures that reduce either the probability that the risk will occur or the impact if it does occur. Mitigation reduces the severity of the risk, but does not remove the risk.
  • Transfer: This involves transferring the risk to a third party who will deal with the impact if the risk occurs. Risk transfer is not normally applicable to small grants, but a good example of a risk transfer mechanism is insurance.
  • Accept: Accepting a risk requires no action. This approach is used when the severity of the risk is very low or when the costs of avoiding, mitigating, or transferring the risk would be greater than the costs of the risk if it were to occur.

As noted above, the approach to managing risks depends on the nature of the risk, but for small grants, it is usually best to avoid as many risks as possible.

Do not avoid discussing risks or ignore risks in developing your proposal. Sometimes there is a temptation to think that if risks are brought up in the proposal, then it will hurt the chances of the project being funded. However, in most cases, the funder will already have a good idea about the types of risks associated with your proposal. So if you do not bring them up and address them in the proposal, it is likely that it will negatively affect the chances of your project being funded.

Back to top

8b. Risk management for your project

This section provides step-by-step guidance on how to incorporate effective risk management into your project’s design. The steps described below will help you to rigorously consider risks that could realistically affect your project, which will help you to design a more fundable and more effective project. Note that not all of the steps will be included in your proposal document, but they are all necessary for effectively identifying and addressing risks. Example questions and evaluation criteria from project templates include:

  • Describe any major challenges/risks to the achievement of the project outcomes.
  • Provide a risk assessment for the project with details of how risks will be managed and monitored to ensure that the likelihood of risks remain low. Detail in the recovery plan how you would deal with any problems that are likely to occur.
  • Does the applicant demonstrate a solid understanding of the challenges/risks for the achievement of the project goals?

Step 1: Follow the funder’s risk-management procedures

As noted above, in some cases the funder has in place safeguards and screening procedures to avoid projects that pose unacceptable risks. These screening procedures often include a tool or checklist which is designed to “screen out” certain types of projects that the funder will not support. If your funder has these procedures in place, as a first step you should apply the screening tool to your project concept. If your project “triggers,” or activates, any of the safeguards, you will most likely need to change the design of your project so that the safeguard no longer applies. Most checklists consist of simple yes/no questions and are modeled after the requirements of either the Green Climate Fund or the Adaptation Fund, which themselves are based on global best-practices. Some examples include:

  • Would the project adversely affect the development priorities of indigenous peoples as defined by them?
  • Would the project activities pose risks to endangered species?
  • Is there a risk that the project would lead to forced evictions?
  • Will the proposed project involve the application of pesticides that have a negative effect on the environment or human health?

Checklists may contain as many as 50 questions similar to these. In general, your answer to each of these questions should be “no.” If you answer “yes” to any of the questions it will most likely disqualify your proposal from consideration. It is generally good practice to be familiar with the environmental and social safeguards requirements of your prospective funder before designing your project. However, for most small grants projects these safeguards are seldom triggered. As a general rule, it’s a good idea to avoid projects that involve large amounts of excavation, are implemented in marine or terrestrial protected areas or cultural sites, require the acquisition of land, or would involve fertilizers, pesticides, or other chemicals. In some cases, the funder may provide an “exclusion list,” which is a list of project types that will not be funded.3For example, see the International Finance Corporation’s exclusion list at https://www.ifc.org/wps/wcm/connect/topics_ext_content/ifc_external_corporate_site/sustainability-at-ifc/company-resources/ifcexclusionlist.

Step 2: Identify risks

The next step is to identify all of the risks that might reasonably affect the achievements of your project’s objectives.4It is important to recognize up front that you will likely not be able to identify all possible risks, nor do you need to. Focus on the risks that might reasonably be expected. The systematic listing of all the possible risks that could affect the project is often referred to as the risk register. The risk register starts with identification of specific risks. For each identified risk, a risk statement should include three elements:

  • Cause: This is the process or factor that creates the risk.
  • Event: This is the risk that is created by the cause.
  • Impact: This is the positive or negative effect that the risk could have on achieving the project’s objectives.

Risk statements should be formed as conditional (“if-then”) statements, as in the example below. In this example we are identifying risks to a project that involves distributing climate-resilient taro plants to farmers on Palm Island:

  • Cause: If farmers are unaware of the cultivation techniques for new seed varieties
  • Event: Then farmers may plant the seeds at inappropriate times and locations
  • Impact: Which may lead to decreased yield for the new varieties

Just like every other aspect of project design that has been discussed in this guidebook, risk identification requires good information and a solid evidence base. Several tools can be used to identify risks, including brainstorming, stakeholder consultations, and consultations with experts and with people who have implemented similar projects in your target area or elsewhere.

Types of risk. When you are thinking about risks, it helps to consider four general types of risks:

  • Risks associated with the project location/context. These include factors associated with the local economy, physical geography, politics, or social and cultural factors. These types of risks vary from place to place.
  • Risks associated with the project’s stakeholders. Are the project’s beneficiaries aware of the project and do they approve of the project?
  • Risks associated with the organization(s)/agency(ies) that are implementing the project and their partners/subcontractors. Does the organization have the capability to carry out all of the project’s activities? Does the organization have the capacity to manage the project effectively, efficiently, and in a transparent and accountable manner?
  • Risks associated with the project’s design. These include analyzing the stakeholder map and the assumptions. Are the timelines for the project’s activities, outputs, and outcomes reasonable? Are the budget estimates realistic? Are there hidden costs that have not been accounted for? Are the assumptions about project sustainability realistic? Can all the supplies and expertise that are required for project implementation be obtained reliably?

Step 3: Determine the likelihood of each risk

An important part of analyzing each risk is to determine the likelihood of it occurring. Risk likelihood is generally assessed on a scale that ranges from “low” to “high”. Different funding agencies may have a different number of intervening steps between low and high (e.g., “medium low,” “medium high”).5The Micronesia Conservation Trust uses a 5-point scale, whereas the Environmental Investment Fund of Namibia uses a 7-point scale. For example, the GEF generally uses the following four-point scale with associated numerical values:

  • High risk: Probability greater than 75%
  • Substantial risk: Probability between 51–75%
  • Modest risk: Probability between 26–50%
  • Low risk: Probability up to 25%

If your chosen funder has a scale, use it. If not, you can use your own scale; just remember to explain what the various categories mean. Remember that your probability rating should be based on some form of evidence or expert judgement. For example, if you are proposing a mangrove planting project, and one of the risks that you have identified is a typhoon destroying or damaging the mangrove seedlings, you may look at how frequently typhoons have occurred in the past and base your probability rating on these statistics.6It is clear that climate change may alter the frequency and severity of severe events such as typhoons in the future, but a significant change is not likely to happen over the short term during which your project will be implemented, so in this case it is best to look at past experiences. This information can then be added to the risk register you developed in Step 2, as in the following example:

“If there is a typhoon then the mangrove seedlings may be disturbed or destroyed, which would decrease the effectiveness and coverage of the mangrove barrier. Based on the past 20 years of weather data, the project area experiences a direct hit from a typhoon once every 12 years. So the probability of this risk is ‘low’.”

Step 4: Determine the impact of the risks if they occur

The next step is to determine the impacts of each risk if it indeed happens. Impacts, like probability of occurrence, are usually rated according to a scale, and so if your funder has a scale, use it. If the funder does not provide a scale, you can use your own, but be sure to be clear about what the different impact levels mean. An example of an impact rating scale that can be used to guide your own work follows:

  • Critical impact: The event would cause project failure.
  • Major impact: The event would cause major cost/schedule overruns and would affect the number/degree/amount of activities, outputs, and outcomes.
  • Moderate impact: The event would cause moderate cost/schedule overruns, but would not affect the activities, outputs, and/or outcomes.
  • Minor impact: The event would cause only minor cost/schedule overruns.
  • Insignificant impact: The event would have no significant impact on the project.

Determining the impact of risk events takes expert judgement and experience, and so it is a good idea to consult with experts and community members for information on the impacts of certain risks. Impacts should also be described in terms of the project’s activities, outputs, and outcomes. Once you have determined the impact, this information can be added to the risk register (see Step 6 for an example of a typical risk register), as in the following example:

“If there is a typhoon, then the mangrove seedlings may be disturbed or destroyed, which would decrease the effectiveness and coverage of the mangrove barrier. Based on the past 20 years of weather data, the project area experiences a direct hit from a typhoon once every 12 years, and so the probability of this risk is ‘low’. However, the establishment of a mangrove barrier is one of three primary outputs of this project, and so damage or destruction of the seedlings would have a major impact on the project’s objectives.”

Step 5: Determine severity of risks and prioritize

Once you have estimated the probability and impact of the risk, you can combine these two measures to determine its severity. This allows you to prioritize the potential risks to your project and determine the appropriate course of action for dealing with each. Risks need to be prioritized because the resources for managing them are limited. In most cases, a risk rating matrix is used, as in the example below.

Probability / ImpactsInsignificantMinorModerateMajorCritical
Almost certainLowMediumHighSevereSevere
LikelyLowMediumMediumHighSevere
PossibleLowLowMediumHighSevere
UnlikelyLowLowLowMediumHigh
RareLowLowLowMediumHigh
Risk rating matrix used by Micronesia Conservation Trust for screening project proposals. Note that both the probability and impact scales are accompanied by descriptions of each rating level which are not included here.

According to this matrix, the risk of a typhoon to our mangrove planting project has a rare-unlikely likelihood, but a major impact. This means that the risk is rated as medium severity. As noted, the risk rating matrix helps us to determine what actions to take for each of the risks. The specific action to take depends on the judgement of the project developer, but in general the different levels of severity correspond to the following types of action:

  • Low severity: In most cases no action is required. The risk should be monitored during implementation to ensure that it does not become worse.
  • Medium severity: These risks should be addressed through modification of the project design to avoid or mitigate the risk. This can be accomplished by introducing new activities to address the risk, or by changing the timing, location, or other relevant aspects of the at-risk activity.
  • High severity: These types of risks are serious threats to the achievement of the project’s objectives and in most cases require a redesign of the project to avoid and/or mitigate the risk. This may involve changing the location of the project.
  • Severe severity: These types of risks are sometimes referred to as “project killer” risks. If your project design includes these kinds of risks, the project is not likely to be funded.

Step 6: Respond to risks

The last step is to respond to the risks you have identified. As noted in Step 5, each level of risk requires a different type of response. Responding to risks may involve changing the project design or adding new activities and/or outputs. Be sure that your risk management measures are incorporated into the budget, procurement, and timelines of your project if necessary. The goal of your risk management measures should be to lower the severity of the risk.

The output of this step depends on the funder you are approaching. Some application templates ask for a narrative (written out in words) description of the risks and risk management procedures. Others might ask you to develop a table that describes the risk, likelihood, impact, and response measure as in the example below.

RiskLikelihood/ImpactSeverityResponseSeverity After Response
A direct strike by a typhoon damages or destroys the mangrove seedlingsLow/MajorMediumPlantings will be scheduled at the end of typhoon season so the seedlings have the maximum time to take rootLow

As you can see, a mitigation response has been selected for this risk. This particular measure lowers the severity of the risk so that it no longer threatens the project. Another option might be to avoid the risk by moving the activity to a location that is less susceptible to damage from typhoons.

Back to top

8c. Conclusion

All projects face uncertainties that may affect their ability to achieve their objectives. In general, funders prefer to minimize risks in projects. All other things being equal, funders will choose to fund proposals with lower risks or proposals that have identified all reasonable risks and have taken steps to manage them.7It is common to see statements such as “preference is given to proposals in which risks are manageable and with suitable mitigation measures”.

Before starting the process of designing a project proposal, it is a good idea to consider risks that might affect the project. Thinking about risks before you design your project will help you to select a project that is less risky. Then, by following the steps described in this chapter, you will be able to effectively identify, analyze, and respond to any risks that may affect your project. This will enable you to develop a more effective project and also to submit a proposal that is more likely to be funded.

Back to top