7 barriers to effective risk management
Over the years, I have noticed a range of barriers that can prevent organisations managing risk effectively. In this article, I have collected together seven of these barriers and discussed both their effect on organisations and how to overcome them. Examples are presented to illustrate the barriers.
Barrier 1: An institutional culture which put more weight on positive information about the service than on information suggesting there is cause for concern
One of the biggest issues that I have seen over the years is an organisational culture which puts more value on ‘good news’ about the organisation than on information about ‘causes for concern’. Many organisations don’t like to hear that there are potential (or real) problems, and people who raise these problems are viewed as being ‘troublemakers’ or ‘not committed to the organisation’.
The end result is that key risks are not even acknowledged let alone assessed or managed. However, there are typically good reasons why people raise these concerns. Eventually, something does go wrong, and the results of the incident are far worse (in terms of finance, reputation, harm, etc.) than they should have been because the organisation took little or no action to manage the risks.
However, encouraging a culture where people are ‘rewarded’ for raising valid concerns can pay major dividends. The workforce dealing with these issues on a day-to-day basis are in a good position to know when ‘something isn’t right’ and provide advance warning that changes are required.
One organisation that I worked with introduced a ‘near miss’ system and it helped change the culture to one where everyone could point out improvements. After a slow start where there was initial suspicion (in case reporting near-misses was seen as ‘trouble-making’ by management or other workers), the system became accepted, and there were significant increases in the numbers of near misses reported.
Barrier 2: Too great a degree of tolerance of poor standards and of risk
Another of the issues that I have come across over the years is organisations where there is too much tolerance of poor standards and of risk. Many organisations can be dominated by a culture of ‘that’s the way we do things round here’.
In these organisations, it’s unlikely anyone will be challenged for risky behaviour or asked ‘is there a better way we can do this?’. Invariably, poor standards and unmanaged risks will lead to something going wrong.
When it does go wrong, managers and directors may well be found liable for allowing it to happen. An example of this is included in health and safety law in Great Britain(1), where it states that: “Where an offence … committed by a body corporate is proved to have been committed with the consent or connivance of, or to have been attributable to any neglect on the part of, any director, manager, secretary or other similar officer …, he as well as the body corporate shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly.”
I saw an effective solution to this issue in an organisation that introduced a culture of challenge to all significant decisions. They found it to be an effective form of risk management. This meant that people were constantly asking questions such as ‘Is this the best way to do it?’ and ‘Can we do it a better way?’.
Barrier 3: Inadequate communications within and between teams, departments and organisations
I suspect that we have all come across organisations where the communications within and between teams, departments and organisations were either poor or they didn’t happen at all. This can happen for a number of reasons including competition between them, distrust of others, poor relations between those running them, etc.
However, this failure to communicate can lead to vital information not being passed to those who need it to manage their risks. This can lead to things going wrong because an organisation was not informed of risks that affected them (e.g. not being told about buried electrical cables on a construction site or a patient needing on a particular medicine).
Communicating information is seen as being so vital to risk management, that the Construction (Design and Management) Regulations in Great Britain(2) have made it a legal duty for organisations working on construction projects to communicate information on risks to other organisations on that project.
Barrier 4: A culture focused on the organisation’s priorities to the detriment of key risks
Organisations have a range of internal factors influencing them including those from regulators, the market, politics and society. These influence the senior managers, who influence other managers and the workers. Those influencing factors that senior managers consider to be most significant (rightly or wrongly) then determine the organisational culture and are a powerful influence on the behaviour of staff at all levels.
Unfortunately, following these priorities can take people’s attention away from fundamental risks that should be managed.
In the Report of the Mid Staffordshire NHS Foundation Trust Public Inquiry(3), Robert Francis QC noted that there were numerous warning signs that should have alerted the system to the problems developing at the trust, but one of the reasons they did not was “A culture focused on doing the system’s business – not that of the patients”. He provides further detail, noting that: “This failure was in part the consequence of allowing a focus on reaching national access targets, achieving financial balance and seeking foundation trust status to be at the cost of delivering acceptable standards of care.”
You can find out more about Mid Staffordshire NHS Foundation Trust on Slide 9 of our free paper Do you understand what factors influence risk in your organisation?. There, the underlying causes are summarised and mapped onto an organisational risk model.
Barrier 5: Assumptions that monitoring, performance management and corrective action were someone else’s responsibility
Management systems are likely to include requirements for monitoring, performance management and corrective action. Indeed, it is a legal requirement in some sectors.
Whilst there may be requirements for monitoring, performance management and corrective action, people are not always clear whose responsibility it is. It’s fairly common for people to assume it’s someone else’s responsibility. This can result in no one taking responsibility leading to something going wrong.
I have worked with some organisations where they address this barrier by making workers aware that everyone had a responsibility for themselves and others, and could halt work if they considered it unsafe. This was in addition to defining roles and responsibilities formally in the management systems.
Barrier 6: Inadequate training and supervision
Training is aimed at providing people with the skills that they need to do the job, whilst supervision is about providing proactive direction including planning, supporting, correcting inappropriate behaviour and setting an example. In many ways, both are risk management activities. Training helps prevent things going wrong, whilst supervision is there to reinforce training and to make sure that work is carried out in the way intended.
However, both have costs associated with them. Training tends to be one of the first casualties of bad times, whilst the reduction in the level of supervisors has been a constant theme in organisations that I have spoken with over the last 15 years. If people do not have the right skills in the first place and no one is supervising them, it’s no great surprise when things do go wrong.
I have run risk diagnostic workshops in a range of industries over the last 15 years, and training and supervision consistently rank among the most important factors in managing organisational risk.
For me, the organisations involved in the construction of London 2012 represented best practice in risk management(4). There, they had high levels of supervision, and supervisors were trained, and provided daily activity briefings for site workers so that they were aware of what was required of them that day. The level of training was also very high with staff inductions, supplier inductions, daily briefings, and toolbox talks. The construction of London 2012 was completed on time and under budget and, for the first time in the construction of Olympic venues, there were no fatal accidents.
A while back I remember reading a quote that summed up the training issue:
The CFO asked: What if we invest in our people and they leave?
To which the CEO responded: What if we don’t and they stay?
Barrier 7: Management systems that are both deficient and not followed properly
Organisations put significant effort into preparing management systems (for quality, environment, health and safety, etc.). In many cases, these systems are independently audited and accredited.
However, having management systems in place and getting people to implement them effectively are different issues.
When I do expert witness work (as a result of something going wrong), the key things I look at are:
- What did the regulations require the organisations to do
- What did the organisations say they were going to do (in their management systems)
- What did the organisation actually do
- Were there differences between the previous three points and, if so, what was their role in causing the incident
Typically, there are differences between what organisations are legally required to do and what they say they will do – the management systems are deficient. Even more worrying is that what systems are in place are not followed properly.
Making sure that the management systems are compliant should be relatively straightforward. Getting people to follow them is a harder issue.
In my experience, this is more about changing mindsets and behaviours than audit and compliance.
Scott Keller and Colin Price(5) have developed a helpful model that states: I will change my mindset and behaviours if …
- I understand what is being asked of me and it makes sense
- I see that our structures, processes and systems reinforce the change in behaviour I am being asked to make
- I have the skills and competencies to behave in the new way
- I see my leaders, colleagues and staff behaving in the new way
Keller and Price’s model best shown as a graphic, and is presented on Slide 20 of our free paper Do you understand what factors influence risk in your organisation?.
In writing about these barriers, I came to the conclusion that leadership is the underpinning theme. Good leadership can help to overcome these barriers, whilst poor leadership is the cause of many of these barriers.
I would be interested in hearing about other barriers that people have seen.
- Health and Safety at Work etc Act, 1974
- The Construction (Design and Management) Regulations 2015, UK Statutory Instrument 2015 No. 51
- Robert Francis QC: Report of the Mid Staffordshire NHS Foundation Trust Public Inquiry, HMSO, HC 947, February 2013
- Mike Webster: ‘The use of CDM 2007 in the London 2012 construction programme’, Proceedings of the Institution of Civil Engineers, Civil Engineering 166, February 2013, Issue CE1, Pages 35–41
- Scott Keller and Colin Price, Beyond Performance: How Great Organizations Build Ultimate Competitive Advantage, John Wiley & Sons, 2011
Dr Mike Webster specialises in risk and regulation, and is a chartered engineer with over 30 years’ experience. He has led risk and regulatory projects in the UK, Europe, Far East and US, and has acted as an expert witness in the UK.
If you would like free access to Mike’s report Do you understand what factors influence risk in your organisation? and the accompanying Organisational Risk Benchmarking Tool click here.
If you would like to discuss this further, drop Mike a line at email@example.com or give him a call on +44 (0) 7969 957471.