Here’s a hard truth: It doesn’t matter how well-designed your risk management program is. What matters is whether you execute the necessary components of that program, and that’s where many organizations struggle.

Following a risk assessment, a CIO might get excited about developing the most comprehensive risk management program the company has ever seen. And, while that’s a worthy goal, it’s useless if there’s no clear-cut plan to implement it.

That’s where the RACI Matrix comes in.

Why use a RACI Matrix?

While a RACI Matrix could help any project, it’s especially helpful for risk management programs. Why? Well, the risk assessment process can be difficult, and the risk management process can be even more arduous.

Two huge problems with the risk assessment process are:

  1. Difficulty engaging stakeholders who need to participate.
  2. Often, nothing happens after the assessment.

But, before knowing how a RACI Matrix can increase stakeholder engagement and drive employee action, it’s important you understand exactly what a RACI Matrix is.

What’s a RACI Matrix?

 A RACI Matrix is a chart that defines roles for specific projects. Here’s what each letter represents:

Responsible: The person who will be held responsible for the completion of the task.

Accountable: The person who must oversee the completion of the task.

Consulted: The person (or people) providing advice or guidance on the task.

Informed: Those who must be informed when the task is completed.

Let’s consider an example: After performing a risk assessment, John, the CIO at XYZ company, decides he wants to implement a new software patching procedure. Here’s how that implementation would break down in a RACI Matrix.

  1. Responsibility goes to the Technical Writer responsible for writing the new procedure.
  2. Accountability is placed on John, the CIO, since the project’s completion ultimately falls under his jurisdiction.
  3. Consulted are members of the IT Team, so the Technical Writer can ensure he is writing the procedure accurately.
  4. Informed is the CEO and anyone responsible for implementing the new procedure (like the IT Team).

Referring back to our common problems with risk assessments, here’s the simple reason a RACI Matrix can work wonders for your risk management program: It clearly assigns responsibility for specific aspects of a project.This eliminates confusion and the finger-pointing that comes with loosely defined roles in any project.

But, clearly assigning responsibility and defining roles serves no purpose if employees don’t buy into what you’re doing, right? So, how you do you drive employee action with a RACI Matrix? Make them part of the decision process.

Creation of a RACI Matrix is not a task to be completed in a vacuum. Make your employees part of the process. Let them decide what their roles in projects will be. If they come to the decision on their own, they’ll be more likely to view themselves as legitimately involved parties and complete what’s necessary for the project.

How to create a RACI Matrix

 One of the best things about a RACI Matrix is that it’s simple. You don’t need to spend a week learning how to use or create one. This is a tool you can start using today to bring more clarity and productivity to your organization.

First, find the results of your most recent risk assessment and analyze them.Ask what risks were identified and how are you addressing them. Examine the specific risk mitigation strategies you decided on during the risk assessment process. Then ask which of these still need to be implemented.

Next, talk to the employees who need to be involved in the implementation of those risk-mitigating controls. Break the project down into parts. After that, find a RACI Matrix template. If the RACI Matrix is new to you, choose a simple template so that you can start using it quickly. Your goal with initial implementation should not be to create the most comprehensive matrix ever but to create a framework that provides clarity around projects.

Finally, use the Matrix to identify individual employee roles in the projects. (Remember: make employees a part of this process to increase their engagement.) Ask the following questions:

  • Who is responsible for implementation?
  • Who is accountable for the task’s completion?
  • Who needs to be consulted during the process?
  • Who should be informed when the project is complete?

A RACI Matrix is a simple way to increase clarity and employee participation in your risk management process. While risk assessments can be complicated, they don’t have to be—especially if you use BALLAST. It’s designed to streamline the assessment process so that you can spend less time assessing risks and more time actually keeping your organization safe. Contact our team for more information!

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.