I said in an earlier piece that a risk register is mostly theatre, and I meant it. But that line invites an obvious question, and it is worth answering properly rather than leaving it as a provocation. If the register is not risk management, then what is? A World Cup is the best place I know to find the answer, because at that scale the pretend version of risk management gets people killed, and everyone involved knows it.
So let me try to describe what serious risk management actually looks like, using the one event where there is no room to fake it.
The difference between a list and a readiness
Here is the distinction the whole subject turns on. A risk register is a list of things that might go wrong. Readiness is the state of being able to cope when one of them does. They feel related. They are almost completely separate.
You can have an immaculate register — every threat identified, scored, colour-coded, owner assigned — and be utterly unready, because not one of those entries changed what you would actually do at 3am when the thing happened. And you can have a thin register and be genuinely ready, because the handful of real threats have been rehearsed until the response is muscle memory.
A World Cup is forced onto the second path. Consider what the 2026 organisers are actually planning against: extreme summer heat across the southern venues, thunderstorms, a broadcast feed failing in front of a global audience, a transport network buckling, a security incident, a stadium losing power. Writing those down achieves nothing. What achieves something is the standby generator that is tested, the second venue that is contracted, the evacuation plan that has been walked through, the medical surge capacity that exists before it is needed. Readiness is expensive and physical. A register is cheap and notional. That is precisely why so many organisations prefer the register.
You cannot prepare for everything, so prepare for the right things
The instinct, faced with a huge event, is to try to anticipate every possible failure. It is a doomed instinct, and the good risk people abandon it early.
The number of things that could theoretically go wrong at a tournament across sixteen cities is effectively infinite. You will never list them all, and the effort to try produces a register so vast that nobody reads it, which is worse than useless because it looks like diligence. The discipline is the opposite of comprehensiveness. It is ruthless triage: which failures are both plausible and severe enough to genuinely threaten the outcome, and which of those can we actually do something about?
That last clause matters more than people admit. Some risks are catastrophic and entirely outside your control, and the honest response to those is not a mitigation plan but a contingency — what we do after, not how we prevent. Others are mundane and within your control, and those deserve real money and real preparation. The skill is telling the two apart and not wasting your finite preparation budget on the wrong category. A risk process that treats every entry as equally deserving of attention is not managing risk. It is performing fairness.
The risks that hide in the seams
There is a particular kind of risk that the 2026 tournament makes vivid, and that ordinary projects consistently miss. The dangerous failures rarely sit inside a single team’s work. They hide in the seams between teams.
Think about a tournament spread across three countries. A team’s equipment clears customs late on one border, so it misses a connection, so it arrives at a venue after the window for a required safety check, so a session is cancelled. No single party failed. Each did their job. The failure lived entirely in the handoffs between them — the place no one owns and everyone assumes someone else is watching. The 2026 format, with its borders and time zones and continental distances, is essentially a machine for generating seam risks.
This is the risk that registers are worst at capturing, because registers are usually organised by team or by function, and the seam belongs to no team and no function. The good risk people spend a disproportionate amount of time on the joins — the handoffs, the dependencies, the moments where one party’s output becomes another’s input. On any project of real complexity, that is where the failures you didn’t see coming actually come from.
Contingency is not pessimism
There is a cultural resistance to serious contingency planning, and it is worth naming. Planning thoroughly for failure can feel like inviting it, or like a lack of confidence in the plan. On some teams it is quietly discouraged as negativity.
A World Cup cannot afford that squeamishness. The organisers plan in detail for the match that cannot be played, the venue that becomes unavailable, the failure of systems they have every reason to expect will work. Not because they expect catastrophe, but because the cost of being unready for it is unbearable when a billion people are watching. Contingency planning is not pessimism. It is the confidence to look directly at what could go wrong without flinching, precisely because you have decided in advance what you would do.
The teams I have trusted most over the years were the ones that could discuss their own potential failures calmly, in detail, without anyone getting defensive. That calm is not a personality trait. It is the product of having done the contingency work, so that the prospect of failure is a managed scenario rather than an unspoken fear.
What to take from it
You do not need a tournament to apply any of this. The principles travel down to any project carrying real consequence:
Stop confusing the register with the readiness. The list is the easy ten percent. The preparation is the other ninety, and it costs money and effort the list never does.
Triage honestly. You cannot prepare for everything, so decide which failures are plausible, severe, and actionable — and pour your preparation there. Treat the rest as contingencies, not preventions.
Watch the seams. The failures that surprise you almost always live in the handoffs between teams, in the spaces no one owns. Spend your attention there.
Plan for failure without flinching. The ability to discuss what could go wrong, calmly and specifically, is a sign of a strong team, not a worried one.
Risk management at World Cup scale is not a darker, heavier version of the spreadsheet on your project. It is a different activity altogether — physical, expensive, focused, and largely invisible until the night it saves you. Most projects never find out whether their risk management was real, because the bad night never comes. A World Cup finds out every time.
This piece pairs with What the FIFA World Cup Teaches Us About Project Management and The Governance Behind the FIFA World Cup.
Ben Webb is a Sydney-based project leader and former Australian Project Manager of the Year, sharing practical lessons from major projects, events and complex stakeholder environments.
Leave a Reply