7 barriers to effective risk management

Seven barriers to effective risk managementOver the years, I have noticed a range of barriers that can prevent organisations managing risk effectively. In this article, I have collected together seven of these barriers and discussed both their effect on organisations and how to overcome them.  Examples are presented to illustrate the barriers.

Barrier 1: An institutional culture which put more weight on positive information about the service than on information suggesting there is cause for concern

One of the biggest issues that I have seen over the years is an organisational culture which puts more value on ‘good news’ about the organisation than on information about ‘causes for concern’. Many organisations don’t like to hear that there are potential (or real) problems, and people who raise these problems are viewed as being ‘troublemakers’ or ‘not committed to the organisation’.

The end result is that key risks are not even acknowledged let alone assessed or managed. However, there are typically good reasons why people raise these concerns. Eventually, something does go wrong, and the results of the incident are far worse (in terms of finance, reputation, harm, etc.) than they should have been because the organisation took little or no action to manage the risks.

However, encouraging a culture where people are ‘rewarded’ for raising valid concerns can pay major dividends. The workforce dealing with these issues on a day-to-day basis are in a good position to know when ‘something isn’t right’ and provide advance warning that changes are required.

One organisation that I worked with introduced a ‘near miss’ system and it helped change the culture to one where everyone could point out improvements. After a slow start where there was initial suspicion (in case reporting near-misses was seen as ‘trouble-making’ by management or other workers), the system became accepted, and there were significant increases in the numbers of near misses reported.

Barrier 2: Too great a degree of tolerance of poor standards and of risk

Another of the issues that I have come across over the years is organisations where there is too much tolerance of poor standards and of risk. Many organisations can be dominated by a culture of ‘that’s the way we do things round here’.

In these organisations, it’s unlikely anyone will be challenged for risky behaviour or asked ‘is there a better way we can do this?’. Invariably, poor standards and unmanaged risks will lead to something going wrong.

When it does go wrong, managers and directors may well be found liable for allowing it to happen. An example of this is included in health and safety law in Great Britain(1), where it states that: “Where an offence … committed by a body corporate is proved to have been committed with the consent or connivance of, or to have been attributable to any neglect on the part of, any director, manager, secretary or other similar officer …, he as well as the body corporate shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly.”

I saw an effective solution to this issue in an organisation that introduced a culture of challenge to all significant decisions. They found it to be an effective form of risk management. This meant that people were constantly asking questions such as ‘Is this the best way to do it?’ and ‘Can we do it a better way?’.

Barrier 3: Inadequate communications within and between teams, departments and organisations

I suspect that we have all come across organisations where the communications within and between teams, departments and organisations were either poor or they didn’t happen at all. This can happen for a number of reasons including competition between them, distrust of others, poor relations between those running them, etc.

However, this failure to communicate can lead to vital information not being passed to those who need it to manage their risks. This can lead to things going wrong because an organisation was not informed of risks that affected them (e.g. not being told about buried electrical cables on a construction site or a patient needing on a particular medicine).

Communicating information is seen as being so vital to risk management, that the Construction (Design and Management) Regulations in Great Britain(2) have made it a legal duty for organisations working on construction projects to communicate information on risks to other organisations on that project.

Barrier 4: A culture focused on the organisation’s priorities to the detriment of key risks

Organisations have a range of internal factors influencing them including those from regulators, the market, politics and society. These influence the senior managers, who influence other managers and the workers. Those influencing factors that senior managers consider to be most significant (rightly or wrongly) then determine the organisational culture and are a powerful influence on the behaviour of staff at all levels.

Unfortunately, following these priorities can take people’s attention away from fundamental risks that should be managed.

In the Report of the Mid Staffordshire NHS Foundation Trust Public Inquiry(3), Robert Francis QC noted that there were numerous warning signs that should have alerted the system to the problems developing at the trust, but one of the reasons they did not was “A culture focused on doing the system’s business – not that of the patients”. He provides further detail, noting that: “This failure was in part the consequence of allowing a focus on reaching national access targets, achieving financial balance and seeking foundation trust status to be at the cost of delivering acceptable standards of care.”

You can find out more about Mid Staffordshire NHS Foundation Trust on Slide 9 of our free paper Do you understand what factors influence risk in your organisation?.  There, the underlying causes are summarised and mapped onto an organisational risk model.

Barrier 5: Assumptions that monitoring, performance management and corrective action were someone else’s responsibility

Management systems are likely to include requirements for monitoring, performance management and corrective action. Indeed, it is a legal requirement in some sectors.

Whilst there may be requirements for monitoring, performance management and corrective action, people are not always clear whose responsibility it is. It’s fairly common for people to assume it’s someone else’s responsibility. This can result in no one taking responsibility leading to something going wrong.

I have worked with some organisations where they address this barrier by making workers aware that everyone had a responsibility for themselves and others, and could halt work if they considered it unsafe. This was in addition to defining roles and responsibilities formally in the management systems.

Barrier 6: Inadequate training and supervision

Training is aimed at providing people with the skills that they need to do the job, whilst supervision is about providing proactive direction including planning, supporting, correcting inappropriate behaviour and setting an example. In many ways, both are risk management activities. Training helps prevent things going wrong, whilst supervision is there to reinforce training and to make sure that work is carried out in the way intended.

However, both have costs associated with them. Training tends to be one of the first casualties of bad times, whilst the reduction in the level of supervisors has been a constant theme in organisations that I have spoken with over the last 15 years. If people do not have the right skills in the first place and no one is supervising them, it’s no great surprise when things do go wrong.

I have run risk diagnostic workshops in a range of industries over the last 15 years, and training and supervision consistently rank among the most important factors in managing organisational risk.

For me, the organisations involved in the construction of London 2012 represented best practice in risk management(4). There, they had high levels of supervision, and supervisors were trained, and provided daily activity briefings for site workers so that they were aware of what was required of them that day. The level of training was also very high with staff inductions, supplier inductions, daily briefings, and toolbox talks. The construction of London 2012 was completed on time and under budget and, for the first time in the construction of Olympic venues, there were no fatal accidents.

A while back I remember reading a quote that summed up the training issue:

The CFO asked: What if we invest in our people and they leave?

To which the CEO responded: What if we don’t and they stay?

Barrier 7: Management systems that are both deficient and not followed properly

Organisations put significant effort into preparing management systems (for quality, environment, health and safety, etc.). In many cases, these systems are independently audited and accredited.

However, having management systems in place and getting people to implement them effectively are different issues.

When I do expert witness work (as a result of something going wrong), the key things I look at are:

  • What did the regulations require the organisations to do
  • What did the organisations say they were going to do (in their management systems)
  • What did the organisation actually do
  • Were there differences between the previous three points and, if so, what was their role in causing the incident

Typically, there are differences between what organisations are legally required to do and what they say they will do – the management systems are deficient. Even more worrying is that what systems are in place are not followed properly.

Making sure that the management systems are compliant should be relatively straightforward. Getting people to follow them is a harder issue.

In my experience, this is more about changing mindsets and behaviours than audit and compliance.

Scott Keller and Colin Price(5) have developed a helpful model that states: I will change my mindset and behaviours if …

  • I understand what is being asked of me and it makes sense
  • I see that our structures, processes and systems reinforce the change in behaviour I am being asked to make
  • I have the skills and competencies to behave in the new way
  • I see my leaders, colleagues and staff behaving in the new way

Keller and Price’s model best shown as a graphic, and is presented on Slide 20 of our free paper Do you understand what factors influence risk in your organisation?.


In writing about these barriers, I came to the conclusion that leadership is the underpinning theme.  Good leadership can help to overcome these barriers, whilst poor leadership is the cause of many of these barriers.

I would be interested in hearing about other barriers that people have seen.


  1. Health and Safety at Work etc Act, 1974
  2. The Construction (Design and Management) Regulations 2015, UK Statutory Instrument 2015 No. 51
  3. Robert Francis QC: Report of the Mid Staffordshire NHS Foundation Trust Public Inquiry, HMSO, HC 947, February 2013
  4. Mike Webster: ‘The use of CDM 2007 in the London 2012 construction programme’, Proceedings of the Institution of Civil Engineers, Civil Engineering 166, February 2013, Issue CE1, Pages 35–41
  5. Scott Keller and Colin Price, Beyond Performance: How Great Organizations Build Ultimate Competitive Advantage, John Wiley & Sons, 2011

Free download of MPW R&R Organisational Risk Report About the author:

Dr Mike Webster specialises in risk and regulation, and is a chartered engineer with over 30 years’ experience. He has led risk and regulatory projects in the UK, Europe, Far East and US, and has acted as an expert witness in the UK.

He focuses on construction and structural safety, CDM and risk, and founded MPW R&R to provide Consulting, Forensic and Expert Witness services in those areas.

If you would like free access to Mike’s report Do you understand what factors influence risk in your organisation? and the accompanying Organisational Risk Benchmarking Tool click here.

If you would like to discuss this further, drop Mike a line at mike.webster@mpwrandr.co.uk or give him a call on +44 (0) 7969 957471.


7 Comments on “7 barriers to effective risk management

  1. Great article! Thanks for putting it all together in this forum. Seems like such common sense, and it’s amazing how simple it seems but folks just don’t know how to make simple concepts work in the professional environment.

  2. Mike – congratulations on your excellent articulation of a very critical problem, almost everywhere. I have seen it in my working career – and I am seeing it in my consulting career too (sadly).

    I would like to add like tiny bit to your thoughts – you may want to add this to your list too: An extraordinary focus on the form over substance.

    I have seen an organization more preoccupied with the form of a report than its contents – and all my prompting got was “we do it this way since…”!!.

    Kind regards


  3. Daer Mike, great article and so much to the point.
    As a former CRO involved in two global corportions, I would add that “cultural differences” are too often overlooked/ignored as an obstacle. Percpetions of risk vary between cultires, and a company’s risk management strategy may become difficult to roll out, if culture is not being taken into account and respected during the process.
    I’ve been consulting many organisations on that level the last 5 years and can confrim there’s still a long way to go.
    Best regard
    Ferenc KARSAI

  4. Hi Mike

    Great work, and I can see where you are coming from. With regard to health and safety risks, your list of barriers is entirely pertinent. However there is an enterprise risk dynamic that might be worth investigating particularly with regard to points 1 and 4 – and it might help you to understand how you can switch the antithesis into a positive;

    Enterprise risks – unlike H&S risks – can be both threats and opportunities. If you can get past the traditional approach of ‘risk = bad’ and move into a zone where you can relate to the psyche of the first line of play (I use the word play deliberately – the front line of a football or rugby or net ball team is not defence – it is attacking), then you can have a dialogue which engages and excites the front line into really believing that risk management can help them to score more goals and to score them more effectively with assurance.

    OK – take the example of a depot manager who refuses to stop stacking his pallets too high – it causes too much danger (threat), but all he can see is that he is using his storage space more effectively, after all, nothing has ever happened that’s really bad, to his knowledge.

    You tell him to stop. You spout the law to him. He ignores you (sound familiar?). So how do you engage with him so that he recognises you are talking sense and can help him??

    How about exploring with him how he can store EVEN MORE things in his storage area, higher and more effective but in a lower threat way? How about helping him to justify racking and better forklifts in a business case? Now you are talking with him about the opportunity rather than the threat. And you make it a condition of supporting his business case for the capital required, that he will in the meantime reduce the height to a safer level, It’s a win-win.

  5. Great article by a practitioner.

    I also think one of the underlying issues is that of ego (and “face”) of the decision-makers.

    Also, at the board level, in my experience, that risk avoidance is often thought to be the same as risk management, especially when they try and combine risk and audit committees.

  6. Excellent article, I found myself nodding as I read through it. For my the key driver is always leadership, once senior management buy in to managing their risks my task becomes a whole lot easier. That said I agree with all 7 barriers set out in the article.