Beyond Traditional Risk Management: Closing the Gaps in Critical Risk Programs

‍

If your organisation relies solely on a traditional risk management approach to handle critical risks, there’s a good chance you’re missing something. While conventional processes can identify and manage risks effectively, they often leave gaps and blind spots that expose organisations to serious incidents.

In this article, we’ll explore how critical risk management typically works, where its limitations lie, and how adopting a matrix-based view can strengthen your overall risk control strategy.

The Traditional Critical Risk Management Process

A standard critical risk management process generally follows a vertical pathway:

1. Broad Brush Risk Assessment (Identification)
   This first step is about identifying critical risks – the ones that have the potential for severe or catastrophic outcomes. This process filters out lower-level risks so teams can focus on what really matters.
2. Detailed Risk Assessment (Analysis)
   Once critical risks are identified, each is examined in detail using methods such as bow-tie analysis. For example:
   • Falling from height
   • Fire or explosion
   • Vehicle loss of control
   The purpose is to understand how each event could occur, what its consequences might be, and what controls exist to prevent or mitigate it. Through this, critical controls are identified.
3. Control Implementation and Management (Execution)
   Organisations then establish:
   • Critical control performance standards
   • Critical control verification programs (CCVs)
   • Procedures and management plans
   This ensures that controls are not only in place but are actively verified and improved through field checks, data analysis, and feedback loops.

For many organisations, getting this far is a significant achievement. However, even when done well, this approach can still leave systemic weaknesses unaddressed.

The Gaps in a Vertical-Only Approach

The problem with treating risks as isolated vertical pathways is that underlying systems often cut across multiple risks. These are foundation systems that, if weak, can undermine several critical control areas at once.

Consider emergency management. Whether the risk involves fire, a fall from height, or a vehicle incident, the effectiveness of your emergency response system will influence outcomes in every case.

Similarly, change management or contractor management failures can be common contributing factors across different risk types. If these foundational processes fail, they can trigger or exacerbate incidents in any area.

This is where process safety principles become vital. As seen in high-hazard industries, process safety identifies around 14 foundational systems (for example, emergency response, maintenance, training, change management) that underpin all risk management efforts.

Learning from History: Common Failure Modes

Dr. Michael Quinlan’s book “Ten Pathways to Death and Disaster” examines historical industrial incidents and identifies recurring failure modes — the same systemic weaknesses that repeatedly lead to serious events.

Common examples include:

• Maintenance failures — poor asset management or deferred maintenance
• Failures in risk assessment — superficial or outdated risk evaluations
• Audit and verification failures — lack of follow-through on findings
• Ignoring alarms or warnings — breakdowns in operational discipline

These aren’t always visible in standard bow-tie analyses, but they represent cross-cutting vulnerabilities that can appear anywhere if not actively managed.

Building a Matrix View: Vertical Meets Horizontal

The opportunity for improvement lies in moving from a vertical-only risk view to a matrix-based approach, where foundational systems and historical failure modes intersect with individual risk pathways.

In this matrix:

• The vertical axis represents specific critical risks (e.g. fire, working at height, vehicle interaction).
• The horizontal axis represents foundational systems and organisational factors (e.g. change management, emergency response, maintenance strategy).

By examining the intersections, organisations can identify:

• Hidden dependencies
• Systemic weaknesses
• Overlaps in control effectiveness

This integrated perspective helps ensure that critical controls are not only present but supported by robust systems that make them effective across the board.

Final Thoughts

Reaching maturity in critical risk management takes time and effort. Many organisations are still refining their vertical processes and that’s a great start. But to truly excel, we need to look beyond the vertical, incorporating these cross-system learnings into our strategies.

By combining traditional critical risk management with systemic and historical insights, organisations can build more resilient, adaptive, and effective safety programs and reduce the chance of becoming another case study in what went wrong.

‍