Why documenting threats is not the same as deciding how much risk you are willing to take If you ask most SME leaders whether they "manage risk", the answer is usually yes. There will be a spreadsheet somewhere. A quarterly discussion. Detailed risk assessments with colour codes—green, amber, red. A list of "top risks" reviewed during management meetings. But here's the uncomfortable truth: Documenting risks is not the same as deciding how much risk you are prepared to take.