All projects need some degree of risk attention—there's always something that could go wrong, no matter how small the project. What determines the depth and extent of the effort is this: how big is the scope and complexity of the project, and what is known and unknown in that landscape? The scale and complexity matter because by definition they increase the chance for unknowns. The scaling of risk assessment and risk mitigation planning must be
geared to adequately tackle those unknowns.
If you have a project that is similar to a prior effort and has a short duration, there are few unknowns, so there is likely limited risk. A quick risk assessment should still be done, however, including everyone on your small team. Even a small project can be victim of sudden resource shortages, for example, so even if the project itself has few unknowns, the company environment could impact the project. As with any risk, what will the team do if that risk rears its head? What can the team do to mitigate it—such as having extra discussions with functional managers about why this project won't make it on time if resources are pulled, and getting a commitment to not make other assignments to these team members until this short project is over.
The amount of time spent on assessment and mitigation planning increases with the complexity of the project work and the degree of uncertainty about what it will take to implement all the project requirements. Large projects simply have more ground to cover—more areas to assess, more chances for risks between components of the project.
Another driver of risk is looking at what the project is developing and asking, "Have we done anything like this before?" For example, greater risk assessment and mitigation planning would be required if the company decided to develop a new application for the Mac operating system market, when all that had been previously developed was for the PC platform. The less experience a company or team has with the actual "subject matter" or content of the project, the more unknowns are lurking.
Risk assessment should not, of course, just review the technical domain, but should include all other project areas—resources (human and materials), customer and market trends, budget, facilities, etc,—as necessary to foresee any issue which might impact the planned effort.
As to managing risks throughout the project, the larger and more complex the project and/or the more unknowns, the longer the list of risks the team will have to monitor. No matter what the size of your project, if there's a risk, mitigation of that risk should be planned for, and then monitored—to make sure any actions to reduce it are actually being taken, to watch for its occurrence and take action, and to decide to move to a backup plan if necessary. Larger projects simply have more of these to monitor!
See our Product and Project Risk Assessment and Mitigation Tables for different tools for investigating risks, including how to rate the "unknowns" associated with taking on a project in a new domain area. See our Risk Management Model for a worksheet showing a wide variety of areas to assess a project against, to make sure you're not missing an area of possible risk on your project.