Considering its importance and business value it is natural that risk management became a matter of interest in numerous research projects and surveys last years. The resulting picture shows the emerging strategic discipline, particularly weighty in the context of significant changes in business environment witnessed last decade or so. Sources of these changes are first of all: globalization, enormously competitive business attitude, extraordinary accumulation of natural disasters, terrorist attacks and similar events. All that results in unusual increase of business risk, observed by researchers and practitioners as well - the phenomenon shown in all research papers and surveys touching this subject [e.g. Christopher M. et al. 2002, Supply Risk Increasing While the Market Stands Still 2007, Understanding Supply Chain Risk 2006, Companies on Risk 2006, Stemming the Rising Tide of Supply Chain Risk 2008]. At least half of organizations treats risk as a high priority issue [Supply Risk Increasing While the Market Stands Still 2007], but enterprise risk management as a full-fledged element of business strategy is still quite a young discipline and as such - far from being ultimately developed. Those, who determined to initiate that process, struck plenty of difficulties and problems to cope with. Nevertheless, a growing number of organizations decide to implement adequate (accordingly to available knowledge and possibilities) processes and procedures, expecting not only significant improvement in business safety and stability [Supply Risk Increasing While the Market Stands Still 2007], but also to gain remarkable profits in various business areas. Among these potential advantages most frequently quoted are increased competitiveness, better protected or even enhanced reputation, also improvement in decision taking processes, better customer service, and other issues [Enterprise Risk Management 2004, Best Practice in Risk Management 2007]. Even greater is number of enterprises where risk management system is not initiated yet, but planned within next few years [Enterprise Risk Management 2004].

Fig. 1. Limitations to risk management process
Rys. 1. Ograniczenia procesu zarządzania ryzykiem

As each real process, risk management is in practice conditioned by many determinants of much differentiated nature. Being a consequence of the above mentioned external circumstances, procedural imperfections or resulting from the subjective weaknesses in human's activities - they may create substantial obstacles in the implementation of the entire process. The basic knowledge of these barriers may appear to be essential for the successful risk management performance.

The first group of such limitations - frequently leading to adversity in implementation of risk management process - arises from the poor awareness of risk itself, still typical for the staff, but also for managers, including even board members. According to The Economist's report from 2007 [Best Practice in Risk Management 2007], this is the most important factor to the success of risk management. Surprisingly often executive officers do not realize what a variety of risks they may face in business and what are the standard ways to successfully cope with them. Then the intuitional and reactive approach to risk management is still much more common [The Supply Chain Management Benchmark Report 2005] (esp. in small and middle enterprises) than organized, holistic systems.

As a result, insurances and contingency plans are continuingly most typical practiced forms of risk treatment, whereas much more effective are obviously preventive, proactive actions aiming in risk reduction or other than insurance forms of risk transfer (outsourcing or contractual regulations). The essence of risk is uncertainty, so proactive approach is substantially reasonable when thinking on potential loss avoidance, whatever the nature of risk impact is supposed to be.

Any disturbance in the core business process, any extraordinary event disrupting the supply chain performance may appear to be the origin of a crisis. The characteristic feature of critical situations in business is that the staffs as well as executive officers are mostly surprised by that fact. This observation displays nothing more but the consequence of the low awareness of what are the risk and risk management, indeed.

On the other hand, low awareness results also in a limited determination in the implementation process of risk management, moreover, also in the position of risk management in the strategy of the enterprise. As it is emphasized by numerous authors, the key to the success in risk management is that process must be firmly embedded in the general enterprise strategy and should be managed from the top (board) level. Having that condition not fulfilled, the whole affair is doomed to failure.

The next group of barriers is of internal character and exists due to weaknesses of the risk management process itself. These imperfections are mostly the consequence of the still early stage of development of risk management discipline. Typical for such situations is lack of unique, commonly approved and established paradigm of risk management. There are many concepts, lots of proposals how the risk management process should be optimally designed and managed. They differ not only in the applied terminology or risk categorization patterns, but also conceptually, emphasizing different aspects of the process, its position in the company's strategy, suggested organization, distribution of competencies, decisions empowering etc. It seems that nowadays the developed concept of Enterprise Risk Management is gaining growing acceptance, but even here we face different approaches and versions - as COSO Integrated framework, Australian or British standards, AIRMIC guidelines and others. Such a diversity of views requires advanced and substantial experience from the people responsible for the issue, what is not always the case.

Very often - as a "first step" or substitute solution - the implementation of risk management is limited to selected functions [Enterprise Risk Management 2004], or appointed areas of company's activities only, instead of the comprehensive, holistic system. In such case we cannot recognize it as risk management process, being an integral element of strategy, of course, and than missing the aim should not surprise.

Considerable problems may arise also from the situation, when risk management is designed as process separated from the core activities of the enterprise, is a kind of overlay to other processes - with its own, independent structures, staff and organization. If so, we must expect significant difficulties in communication and collaboration between the engaged people, and risk management process becomes very likely to be treated as an obstacle, not support to core processes in gaining common targets. Obviously, some competent and rationally positioned professionals (as risk manager) are absolutely necessary here - to design, organize, implement, coordinate and supervise the risk management process - but the functions must be distributed and realized by the staff responsible for the basic processes.

Somehow obvious limitation results from the commonly accepted principle, that risk management procedures shouldn't disturb the core processes of the enterprise. This principle should not be understood as a barrier in selecting risk treatment actions - frequently the necessary condition of risk mitigation is to introduce sometimes essential changes in existing processes and procedures.

Third major group of substantial limitations is generated by personal and technical barriers. Lack of skills is pointed in The Economist's report as one of greatest barriers to the effective management of risk [Best Practice in Risk Management 2007]. Similar observations may be found in other surveys [e.g. Taking Risk on Board 2005]. Practically, educational systems do not provide professionals in risk management in any country. Only in few of them appropriate specialized courses are available. The problem of low risk awareness mentioned above is the direct consequence of almost absolute absence of risk related subjects in educational programmes at economical, technical, and even business high schools, universities and colleges. If any, they are mostly limited to financial aspects and what we call "financial/insurance approach" - they consider such risk categories as credit risk, currency risk, investment risks or other categories of rather insurable threats, but do not the holistic view. The previously cited results of surveys underline lack of skilled professionals as one of major problems in the implementation of risk management.

Another difficulty is related to the tools and techniques available for risk management purposes, mainly at risk assessment and analysis stage. Generally speaking, lack of appropriate tools is repeatedly pointed as major obstacle in risk management efforts [7, The 8, 9]. But the problem is more complex here. Doing this job, we have to deal with a variety of risks, which must be described, "measured", and analysed. "To measure" means here to describe risk magnitude, its possible impact value and likehood that it will materialize - in practical dimension that is to realize, what real threat is related to each particular risk category. Two main approaches - and consequently - two types of methods, tools and techniques may be applied here: quantitative and qualitative ones [10]. The first approach obviously provides more accurate results, but requires data and measures of the same accuracy, what is mostly rather difficult to collect. Such techniques need application of advanced analytical methods (mostly from probability mathematics) - whereas this is not the very typical competence of industrial staff (personal barrier again). Moreover, when discussing likehood of risk, the sense of this term is rather clear and makes no problem, but this is never more the case with the risk impact. The purpose of risk analysis and assessment is (roughly speaking) to make foundations for later decisions re. risk treatment. The necessary condition for rational decisions here is to have all risks /threats prioritized. That means we must have possibility of comparison - answering, which risk is more or less dangerous from its possible impact point of view. Using quantitative tools we may compare what is expressed in the same units - so how to compare the possible risk impact of financial loss with that of employee´s death, or company's reputation harm, lose of the sole supplier etc.?

This is why in risk management practice qualitative approach is much more in common use. Qualifying risk (both, its likehood and impact as well) as negligible, small, considerable, serious or catastrophic (for example) - we may avoid the a.m. problems. However, what we loose is not only precision and clearness, but also the analycity. The ultimate result of risk assessment and analysis is therefore a kind of static picture, photography of state of threats. Business is a dynamic process and requires dynamic analysis - parameters and tools used should enable managers to observe the results of actions and to follow changes. In risk management concepts we meet such terms as "risk tolerance' or "risk appetite", related to the general level of risk which may be accepted by the organization. These ideas are potentially very interesting and useful in strategic decisions taking, but have (except some areas of investments and finances) no practical importance - as long, as we are not able to provide their good, analyzable definitions. And this is rather impossible within the qualitative framework.

Some other sources of limitations in risk management process may be also added. An example may be the cost barrier, or rather renitency in spending money on protecting the company against something uncertain, what may be never happens. Each additional cost seems to be doubtful, alike risk management actions. That is another reason, why implementation of risk management requires significant conviction and even determination.

What is interesting, very often restraints to making risk management integral with overall business strategy are of purely subjective character. According to the Lloyd's survey of 2005 [Taking Risk on Board 2005], two major obstacles (pointed by about half of respondents) were competition with other priorities and fear of creating a risk-averse and bureaucratic culture. Another report, made by The Economist in 2007 [Best Practice in Risk Management 2007] as number one obstacle shows lack of time and resources.

The limitations existing in risk management practice become even more complicated when passing to the supply chain level. This perspective requires outstandingly advanced collaboration, where single enterprise - remaining independent - must take into account targets common for the entire supply chain, and risks specific for the chain as well [Christopher M. et al. 2002]. Their mitigation needs perfectly coordinated actions, but also extraordinary visibility supported by smooth and open information flow. In many cases this is not easy [Taking Risk on Board 2005], as enterprises protecting their independency are rather temperate in exhibiting their weaknesses or vulnerabilities. Serious obstacles may result also from misunderstanding what the supply chain risk management is indeed, or from weak approval for common values and aims. What is in a way normal, however very dangerous, is limited loyalness and fidelity of partners - quite often enterprise operates for many, frequently competing chains, so conflict of interests and priorities is sometimes unavoidable. Another characteristic barrier in supply chain risk management, identical with one of the main supply chain specific risks - is the lack of one owner [Christopher M. et al. 2002]. However - considered as risk category it makes a kind of warning on possible consequences of problems in supply chain related decision taking, whereas simultaneously it creates a strong obstacle in risk management process itself.

Fig. 2. Sources of limitations in supply chain risk management
Rys. 2. Źródła ograniczeń w zarządzaniu ryzykiem w obrębie łańcucha dostaw

There is no much practical experience in supply chain management itself, even less with the supply chain risk management so far, but strong belief exists, that the positive influence of risk management onto supply chain performance - including its competitiveness - makes it a business imperative of growing importance nowadays.

All the variety and diversified nature of limitations in risk management show how complex that process is. Some of them will disappear when this part of enterprise strategy become matured, but we have to consider these barriers as existing feature of risk management and learn to cope with them. As for the entire process - the very fundamental awareness of limitations is of great importance here and conditions the final results.