I A Nicer Mr (anag.)

RACI in ERMI had the rug pulled from under me in a recent workshop – by a Chief Risk Officer. In full flow, and in front of the CRO and his leadership team, I was explaining how we could thread risk management and controls into the operational fabric of the organization by embedding RACI within the core business processes.

“Stop!” said the CRO. “We don’t want RACI. No-one understands it”. He paused. “I don’t!”.

There was a moment’s silence as the room took in what the corporate director for risk management for this global business had just said.

He looked at me, standing at the whiteboard: “Go on then… What’s the difference between Responsible and Accountable?”.

And of course, at this point, as the room turned for my fluent and authoritative response, it all went squidgy. I blathered something plausible, which he rightly pounced on: “See! And we’re supposed to be the experts. What hope is there for everyone else?”.

It was an eye-opening moment. I’d always assumed – no-one I’d ever met had questioned it – that RACI was universally understood and useful.

I’ve come to see though that he’s right, or at least on to something important.

For a start, there’s no single definition of RACI. Wikipedia lists two competing RACI definitions – that’s aside from the traditional definition of Responsible-Accountable-Consulted-Informed – as well as a long list of similar responsibility assignment matrices (RASCI, RASI, PASCI, CAIRO and others).

Friends too confirm the confusion that they’ve seen. One – ex Big 4, now a Finance Transformation director – argued that most people find RACI confusing:

“It’s almost always isolated from everything else as well, so it becomes a theoretical exercise instead of a project driver. I doubt whether many RACIs are ever updated after the first approved version.”

As it happens, my tormentor CRO did agree in the end to adopt RACI embedded within the core business processes – but against a promise that it would deployed in a way that provided easy clarification for users at the point-of-use.

Which seems to me to be the happy ending. Good governance demands clarity. The widely-adopted COSO framework for risk management, for example, stresses that it is vital at all levels of an organization, and highlights embedding in operational reality as one of its seven keys to success in risk management:

“A key to success is linking or embedding the Enterprise Risk Management (ERM) process into the core business processes and structures of the organization.”

My take-away is that RACI, or some variant of it, may be incredibly useful in making clear roles and responsibilities, especially when it’s live because it’s embedded within a common enterprise-wide process management platform. But I’ll never again assume that it’s understood. It always has to be explained – simply and at the point of use.

Related Posts

08 Sep 2014   When Does A Tool Become A Platform?

24 Sep 2013   The Business Management System App

PS it’s an anagram of ‘RACI in ERM’. I’m slowing learning how to do the Times crossword 🙂

Risk Intelligence and Smart Compliance

Hat tip to Deloitte, whose new book Enterprise Compliance: The Risk Intelligent Approach acknowledges some truths too often neglected:

“In the real world, ownership of compliance tends to disappear only a few layers deep into the organizational chart, becoming less visible the further you move away from core compliance functions and roles such as the Chief Compliance Officer. As a result, employees may be performing compliance-related activities every day without knowing the potential consequences of not executing them properly.

Just as important, when processes are updated, or workarounds are put in place, critical compliance tasks may be inadvertently eliminated without anyone understanding the impact on compliance risk.

Pushing responsibilities closer to the front lines of the business can make the overall process of compliance more efficient and less painful, but it can also bring new headaches without adequate planning.

One of the leading ways to avoid the unintended consequences that can come from changing responsibilities is to start with a complete picture of how compliance works in an organization. It can be difficult, but the confusion and risks of operating without such an understanding can be even more painful. From there, make sure people know what they are expected to do and why, and provide them with the incentives they need to stay on track.”

In other words, any intelligent approach to risk management has to start with an enterprise-wide perspective. And it has to be real – supporting the front line of the business – not simply an abstract or representation of operational reality created for compliance purposes.

It’s what a good process management platform enables. Get it right and the result can be the cultural shift which Deloitte is calling for – one in which ‘Compliance is not just another box in need of checking but is simply part of how business gets done’.

Related Posts

29 June 2012   Process And The New World Of Risk Management

Process And The New World Of Risk Management

Deloitte AftershockThis week’s report from Deloitte and Forbes Aftershock: Adjusting To The New World of Risk Management maps the changing landscape in enterprise risk management (ERM).

ERM is now a C-Suite issue according to the 192 execs surveyed. But ERM effectiveness depends upon company-wide engagement.  In the words of one CFO quoted in the report:

“There is always a concern that if you set up a large ERM team, they somehow own risk. It can’t work that way. People that manage the day-to-day business need to own risk”.

It’s worth noting – and some visionary Nimbus clients are already moving in this direction – that many of the top ERM challenges identified in the survey are addressed directly by a business process management platform.

ERMRelated Posts

27 Jun 2012    What Do We Even Mean By Governance?