Author: Dr. Elmar Kutsch is Professor of Risk Management, specialising in decision-making under uncertainty and mindful approaches to judgement in complex organisational settings. He serves as a visiting professor at Cranfield School of Management, Warwick Business School, and emlyon business school. His work bridges academic research and professional practice, with a focus on risk management and the application of analytical frameworks in real-world contexts. Alongside his research, he designs and delivers executive education programmes for senior leaders, with an emphasis on practical relevance and reflective decision-making.
Most project-based organisations operate with well-established risk management frameworks. Risks are identified, assessed, and documented in line with recognised standards. Yet projects continue to fail in ways that were foreseeable and, in many cases, already recorded. The issue is not a lack of knowledge. It is a failure to translate that knowledge into timely and effective action.
Evidence from empirical studies (e.g. Bernstein, 1996; Kutsch et al., 2012, 2014) shows that most critical risks are knowable at an early stage. Project teams typically engage seriously with risk identification and produce structured registers. However, as projects move into execution, risk management often loses its operational relevance. It becomes a formal requirement rather than a guide to decision-making. Risks remain visible on paper but are no longer actively managed. The gap, therefore, is not between uncertainty and analysis, but between analysis and response.
What is missing is not additional tools or more refined methodologies, but three interrelated conditions for effective action: sustained engagement, balanced attention, and timely intervention.
First, adequate risk response requires sustained engagement over the life of the project. In practice, there is a gradual drift away from active risk management. While formal processes remain in place, their use becomes symbolic. Risk identification and assessment are completed because they are required, but follow-through is inconsistent. As a result, known risks are neither revisited nor acted upon. Without continuous engagement, risk management cannot influence outcomes.
Second, effective response depends on balanced attention across different types of risk. Managers tend to prioritise risks that are familiar, measurable, and controllable. This creates systematic blind spots. Less tangible risks, such as stakeholder dynamics, behavioural responses, or emerging interdependencies, receive less attention despite their potential impact. Adequate risk response requires deliberate effort to surface and consider these less tractable uncertainties rather than defaulting to what is easiest to manage.
Third, and most critically, adequate risk response requires timely intervention. Even when risks are known and assessed, action is often delayed or avoided. Managers may hesitate to act on risks that have not yet materialised, perceiving early intervention as unnecessary or difficult to justify. In addition, limited authority or resources can discourage proactive behaviour. The result is a preference for waiting, which reduces available options and increases the cost of response when risks eventually materialise.
Taken together, these patterns explain why projects remain vulnerable to risks that were already recognised. Risk management does not fail at the point of identification or analysis. It fails at the point where judgement and action are required.
For practitioners, the implications are clear. Improving risk management is less about refining tools and more about how they are enacted in practice. Risk registers should function as instruments for intervention, not as passive repositories. This requires clear ownership of each significant risk, defined response actions, and disciplined follow-up. Unresolved risks must be escalated rather than allowed to persist without consequence.
Organisations also need to broaden what counts as a relevant risk. This involves creating space for less quantifiable uncertainties and incorporating diverse perspectives to challenge prevailing assumptions. Approaches such as scenario thinking can support this by exploring plausible futures rather than relying solely on measurable probabilities.
Equally important is the legitimisation of early action. Acting before a risk materialises should be recognised as a sign of professional judgement rather than inefficiency. Finally, accountability for risk must be matched with the authority and resources required to respond. Without this alignment, engagement with risk management will remain limited.
Effective risk response depends on closing the gap between knowing and acting. This is not achieved through additional controls, but through ensuring that existing processes are used to inform deliberate, timely, and consequential decisions.
References
Bernstein, P. (1996). The new religion of risk management. Harvard Business Review, 74(2), 47–51.
Kutsch, E., Browning, T. R., & Hall, M. (2014). Bridging the Risk Gap: The Failure of Risk Management in Information Systems Projects. Research Technology Management, 57(2), 26–32.
Kutsch, E., Denyer, D., Hall, M., & Lee-Kelley, E. (Liz). (2012). Does risk matter? Disengagement from risk management practices in information systems projects. European Journal of Information Systems, 22(6), 637–649