Any engagement in large organisations will certainly entail an exposure to RAG (Red-Amber-Green) ratings. They are the ubiquitous risk management tool ... indeed, I would argue, that in a large proportion of organisations producing a set of RAG ratings is wholly equated to risk management.
The three primary places that RAG ratings appear are: 'Project Assessments', intended to identify factors that might confer risk on a potential project; 'Programme Boards', that manage an organisational portfolio of projects; and, 'Risk and Assurance Committees', that provide oversight of organisational risk and the integrity of the controls that the organisation has in place.
Fairly obviously however, simply possessing a gaily coloured spreadsheet (perhaps additionally decorated with likelihood, impact, inherent and post-mitigation assessments) does little to actively manage risks and can, in fact, lead to a set of damaging mistakes.
In what follows I will briefly set out 10 key mistakes, and how these mistakes arise, so that you can spot and - hopefully - avoid them.
Mistake 1:
RAG rating becomes a 'governance industry'. The paperwork takes primacy over the analysis with ever more elaborate lists that preserve the appearance of risk management but not the actuality.
Mistake 2:
Project assessments are necessarily prospective and analytical, they are part of a creative process of option development. Programme boards are intended to monitor progress and manage the allocation of resources. Risk and assurance committees are tasked with ensuring that a light is being shone on the risks to the overall organisational mission and that these risks are understood and controlled. The mindset and approach required for each of these is not the same, and the expectations of the distribution of risks and the associated risk management stance must necessarily differ. Applying the same method across all three settings is misleading and often unhelpful.
Mistake 3:
RAG ratings tend to distract attention. The focus moves to the colour, and the mechanics of scoring, rather than to a properly nuanced discussion of the risk itself. Real risks are usually multidimensional. Often the mitigations receive insufficient attention, and particularly the likelihood that the mitigation will be effective. The overly structured character of a ratings-led approach inhibits the more important conversations about dependencies and systemic factors. The danger is that a tool intended to aid clarity ends up narrowing the discussion.
Mistake 4:
RAG ratings, particularly those accompanied by lots of numbers, imply a degree of objectivity, and often disguise the level of confidence. There is little benchmarking and retrospective scrutiny is rare. At worst RAG ratings are 'gamed'. The most common pattern is that risks are suppressed or downgraded until such a point at which a threshold is passed and the only available mitigation is additional project resource. This undermines trust in the system and reduces the incentive to escalate risks early.
Mistake 5:
In principle RAG ratings should be subject to a common interpretation. In reality this is not the case. Many organisations have RAG 'drift' with a growing tolerance of red and red-amber risks. Because killing or 're-chartering' projects is rarely contemplated (but should in fact be routine) projects get an early amber rating as the underlying complexity of the task is discovered, bump along at amber, and then have little choice but to move to red as they run close to their unrealistic effort or resource budget. The rating therefore reflects project politics as much as project reality.
Mistake 6:
RAG ratings are a snapshot but this, of course, does not really give a complete picture of the nature of the risk. Is it moving in a positive or negative direction and how rapidly? Is the risk unpredictable, or out of control. Risk trajectories, flightpaths or profiles are helpful in this regard. The problem however is that a diminution of the risk is always just one meeting away. Without trend information, risk ratings are misleadingly static.
Mistake 7:
RAG ratings tend to break down when risks manifest. The articulation between risk management and decision-making is rarely clear. Many so-called red risks are actually not 'risks' in any meaningful sense they are actually ongoing operational management problems, and the structures and controls that need to be applied have little to do with risk management. Confusing risks with issues creates poor accountability.
Mistake 8:
RAG schemes often fail to clearly distinguish between exogenous risks, whose source is outside the organisation's control and endogenous risks that arise from within the organisation - people, processes, systems and governance. Mixing these up can be very misleading and the controls and mitigative strategies are different in scope and kind. Separating these categories is essential for a coherent response.
Mistake 9:
Risk appetites vary, and a positive feature of risk management practice is an open discussion of the willingness of the organisation to assume risks in the pursuit of the organisational mission. The problem is that whilst it makes sense to consider the risk appetite this cannot really be achieved without grounding it in organisational strategy. If, as is often the case, the strategy comprises a set of ungrounded goals and aspirations, then the risk appetite is simply documenting the earnest desire that nothing too bad happens because that would be 'intolerable'. Risk appetite only has meaning if linked to clear strategic choices.
Mistake 10:
Inevitably, red risks get the attention and, without active work, risk management can become a process of firefighting. Meanwhile, the overall organisational risk accumulated in the 'early ambers' get ignored. This neglect of aggregated medium-level risks is one of the most common precursors to systemic failure.
Armed with this knowledge I hope you might enjoy your next risk management meeting (even if your colleagues do not)!
You could add (at the risk of making it 11 mistakes) the issue of focus. Far too often the risks relate to new projects and it assumed that the status quo is not itself a risk. Rarely is the risk of doing the "same old stuff" properly assessed and, as a result, the costs involed in managing what you aready do are taken for granted. Sometimes doing nothing presents a much greater risk (and cost).
Anthony
Thought provoking and a great challenge to the ongoing review of our change portfolio. We need honest transparent reporting together with consistent application. Mistake 10 particularly resonates - agree that we need to give far more attention to the “amber” in particular to their direction of travel. Should serve as an early warning sign for attention providing the opportunity to avoid the firefighting caused by neglect… or denial . Aggregation of risk the perennial challenge.