Week 31: The RACI Matrix

In the course of writing these weekly articles, Walter Buyu and I have briefly mentioned, a few times, the need to have “Roles and Responsibilities”. This was so for An Introduction to IAM, Incident Response, Business Continuity & Disaster Recovery, and Data Lifecycle Management.?

And, though we mentioned it in these cases, its benefits can be appreciated across and beyond cybersecurity. These include, but are not limited to, accountability & conflict prevention, better communication, and increased productivity & morale.

One simple and common tool is the RACI chart (also known as the Responsibility Assignment Matrix). RACI stands for Responsible (R), Accountable (A), Consulted (C), and Informed (I). Let’s explore each of these elements in detail:

• R: This refers to the individuals or stakeholders responsible for completing the task or making the decision.?
• A: This refers to the individual or stakeholder who “owns” the work. He/ She is responsible for approving the task or decision once it's complete. It's best practice that the onus of signing off falls in the hands of one person as opposed to Responsible,? which can be several.
• C: This refers to the individual or individuals who are considered Subject Matter Experts (SMEs). They have an ongoing conversation with (R) and their knowledge is key to completing the piece of work.
• I: This refers to the individuals or stakeholders who need to be kept in the loop. In other words, this group should be updated on the progress. They do not participate actively, which means they aren’t consulted nor do they make a direct contribution to the piece of work.?

The steps for creating one such as in Figure 1 are:

• Identify and list (on the left-hand side) all the tasks required for the successful completion of the deliverable.?
• Identify and list (at the top) all the stakeholders. The example above includes, for example, Senior Analyst, Project Manager, Head of Design… But, this might differ from your requirements.
• Populate the different cells with the elements (i.e., Responsible, Accountable, Consulted, and Informed).?
• Verify if each task has at least one (R).?
• As mentioned above, verify that no task has more than one (A).?
• Communicate and agree on the matrix with management. This includes any conflicts or ambiguities.?
• Upon approval disseminate to the relevant individuals.

(Note: Consider color coding and breaking down the deliverable into phases).

(Note: A usable template for Google Sheets may be found here and for Microsoft Excel - here).

Now that you have a better understanding about the topic, let’s look at the pros and cons.

Some of the advantages include:

• It permits clear and open communication with the interested parties.
• It reduces the stress of the different members by only displaying the tasks and no unnecessary information.
• It prevents “too many cooks” from offering input, thus reducing chaos.

Some of the disadvantages include:

• The roles are too rigid and might not reflect the individual’s real footprint in the project.?
• Stakeholders often confuse Responsibe with Accountable and Consulted with Informed.

Should you consider that RACI might not be a perfect fit, there are alternatives. Some of these are:

• RASCI: The only difference between the topic in hand and this approach is the S. It stands for Supportive. For example, during the launch of a new restaurant, the kitchen staff provides aid for the different activities without acquiring the responsibility of its completion, i.e., they only participate in the execution.?
• CARS: Here the following designations are made - Communicate (These are the consulted and informed parties), Approve (This refers to the decision maker), Responsible (The one who does the work), and Support (Individuals who support the “responsible person” in completing the work.?
• RAS: This is a simplified approach to CARS and only includes Responsible, Approve, and Support. The downside here is that there is no channel for spreading information beyond the project team.
• CLAM: Individuals here are assigned the following actions – Contribute (Those who are consulted and who do the work), Lead (Those who delegate and manage the activity), Approve (Those who sign off), and Monitor (Must be kept into the loop for any progress).

(Note: None of the approaches mentioned above are perfect).

Next week we’ll look at Awareness, Training, and Education.?

This article is part of a project called Security Chronicles, written jointly with Walter Buyu .

Sources:

• What Is a RACI Chart?
• The RACI matrix: Your blueprint for project success.
• What is A RACI Chart? How This Project Management Tool Can Boost Your Productivity.
• Agreeing roles and responsibilities.
• RACI Alternatives to Build Team Trust