How To Lose Your RAG With Risk
I wince, it is that pained moment yet again. It’s the sponsor meeting and a project manager is sitting there running Susan the project sponsor through the project status report. The red and amber risks and issues come up for discussion. As project manager explains the red risks Sue’s eyes glaze over. Sue is told that the project is red because there is a risk that forecast completion cost will go $10 over the approved $500k budget. Part of me dies inside, again. And yet another project manager walks out of the room really thinking they’re doing the right thing while losing total credibility with their sponsor.
My story highlights a behavioural problem I see with many PMs.
Over the years I’ve seen these problems so many times that I came to the following conclusion: the textbook theory of risk and issue evaluation and reporting is fine, but the behaviours of practitioners are not. I had to do something about the behaviours. So, I tried something different and I want to share that experience with you.
Going back to the problem: all too often the written rules of assigning a red, amber or green rating to risk are ignored and replaced with these unstated rules:
RED = Houston, there is a problem. I want lots of attention. You definitely can’t blame me for not telling you.
AMBER = CYA. Cover Your Ass. Something might go wrong. I don’t want all the attention that a red risk will get as I’ll get asked questions. So I’ll go to the amber reporting safety zone. The sponsor is drowning in the all spurious red ones I raised, and life is short. But if the risk materialises then I can say I told you so.
GREEN = There is no problem. So, why raise it? Stupid question. I don’t.
Good change professionals know that for a risk or issue to be brought to the direct attention of the sponsor or higher it should resonate as being material. If it isn’t material then they don’t need to know.
The way that most organisations try to articulate materiality start with the corporate risk policy. Corporate risks are defined as a risk to the financial stability of the organisation. Boards approve corporate risk policy. This translates to a list of risk categories, and the need to evaluate risk likelihood versus risk impact to derive risk quantification. We usually end up with some kind of matrix and this is where the red, amber and green tends to creep in. RAG was meant as a visual aide.
The functional units within the organisation are instructed to bubble up newly found corporate risks so each one keeps a local risk log. Often a PMO will set about defining the different levels of impact and likelihood.
But incredibly few risks on change initiatives such as projects or product development are corporate risks. Most risks on change initiatives are relatively short-lived and very rarely threaten the financial stability of the organisation. So, why drive the administration and reporting of change risks into the same structures as corporate risk? Is the overhead worth it? How about educating change professionals on corporate risk and having an exception procedure to handle them? That allows us to find a way of reporting our change risks in a manner that encourages the right thought process and behaviours.
Back to those colours. Red, amber, and green. They are driving some seriously bad behaviours and a lot of overhead handling them. I’d be more accepting of those bad behaviours if they only came from people that didn’t know any better. But I see them from people professionally qualified with project and product certifications, and often with many years of experience.
So, when I was the head of a PMO in medium-sized enterprise I did the following change the reporting standards to abolish RAG ratings on risk and issue logs. Instead, risk and issue materiality were described by the most senior level of management that needed to know.
Current Risk
- Board needs to know
2. CEO needs to know
3. Sponsor needs to know
4. Team needs to know
5. Nobody needs to know
Residual Risk (once risk treatment plan enacted)
- Board needs to know
2. CEO needs to know
3. Sponsor needs to know
4. Team needs to know
5. Nobody needs to know
The implementation of this caused a change in behaviour within the PM community — but not immediately. At first, those PMs that had been abusing RAG status instead choose high options on the list like the ‘CEO needs to know’. My response to them was “So you think the CEO needs to know. Okay, are you lining up a meeting with her? And what are you going to say?” It confronted them. They realised that they’d have to take some time out of a CEO’s day and say something that resonated. The PMs considered how important was the risk, what really needed to be one about it, and why it needed the attention of somebody so senior. They usually reduced their risk rating.
It was also revealing. How many project and product managers do you know that understand a Board’s function and operations and what Board members need to know? Likewise, how many project and product managers do you know that understand what the CEO does and needs to know? Same question about sponsors. I think the answer is few.
The quality of conversation within the team rose because there was more interest in what people in different roles within the organisation find important and why, and a greater understanding of how business operate. Education levels went up. The PMO saw the aggregate risk profile skew away from high rated risk.
My conclusion is that losing the RAG from project and change initiative risk evaluations is a good thing. There are better ways to express materiality of a risk that drive the right behaviours, improve business awareness, and reduce overhead.
