Back to all our Insights
Knowledge

The Relationship Between the RACI Matrix and Risk Management Systems

The implementation of Risk Management is closely linked to communication and consultation processes. These processes are crucial factors supporting the smooth progression of risk management from stage to stage. It’s undeniable that communication and consultation with various stakeholders can influence decisions, both in establishing the framework and executing risk management processes. Consequently, a breakdown in communication and consultation can lead to new risks. 

Discussing communication failures in risk management implementation, we can refer to a significant case in 2001: the Enron bankruptcy. Enron failed to provide information consistent with reality, preventing the Enron risk management team from identifying the risks they would face. Accurate and up-to-date data from a company is vital for identifying impending risks; without such information, a company can only predict risks based on historical data, which may not always be accurate. 

In connection with the above, this article will discuss a method that can be used to clearly structure and identify an effective workflow for communication and consultation in implementing a Risk Management System: the RACI Matrix. This method helps organizations identify parties involved in Risk Management System communication and consultation processes, typically categorized into four roles: Responsible (R), Accountable (A), Consulted (C), and Informed (I). As a guide for constructing a RACI Matrix, several stages can be followed: 

  1. Identify Stakeholders in the Risk Management System 
    Before creating a RACI Matrix, it’s essential to determine all parties with an interest in the Risk Management System. Examples include

    • Board of Commissioners 
    • Board of Directors 
    • Department Managers / Division Heads 
    • Department Staff / Risk Owners 
    • External Stakeholders (Customers, Shareholders, Government, Risk Consultants, etc.) 
  2. Identify Stages to be Performed in the Risk Management System 
    After identifying stakeholders, it’s necessary to pinpoint the stages involved in implementing the Risk Management System. Examples include: 

    • Establishing Scope, Context, and Criteria 
    • Risk Identification 
    • Risk Analysis 
    • Risk Evaluation 
    • Risk Treatment 
    • Risk Monitoring and Review 
    • Risk Recording and Reporting 

    For improvement, the more detailed the description for each stage in the Risk Management System, the clearer the roles of the stakeholders involved in executing those stages will be. 

  3. Constructing the RACI Matrix 
    The RACI Matrix is developed based on the roles of stakeholders concerning the stages performed in operating the Risk Management System. As mentioned earlier, these roles are divided into: 

    • Responsible (R): The party tasked with executing a specific stage within the Risk Management System process. Examples include Department Staff / Risk Owners. 
    • Accountable (A): The party ultimately responsible for the outcome of a Risk Management System-related stage and the decision-maker for any issues that arise. Examples include leaders in respective Work Units / Departments / Divisions (Department Managers / Division Heads). 
    • Consulted (C): The party possessing expertise related to the Risk Management System. Examples include the Enterprise Risk Management (ERM) Department, Risk Analysts, Risk Consultants. 
    • Informed (I): The party who receives information regarding the results of the Risk Management System implementation stages. Examples include the Board of Commissioners, Company Directors, and External Stakeholders. 

    An example of a RACI Matrix format can be seen in Table 1.1 below:  Table 1.1: RACI Matriks

  4. Additional Information for the RACI Matrix
    Once the RACI Matrix has been developed, additional details can be added, such as: 

    • The type of information delivered as an output from each stage of the Risk Management System. Examples include Risk Identification Reports, Risk Management System Evaluation Reports, etc. 
    • The method of delivering the results of the Risk Management System stages. Examples include Monthly Meetings, Yearly Meetings, Management Review Meetings, Email, Letters, etc. 
    • The frequency of delivering the results of the Risk Management System stages. Examples include monthly, semi-annually, annually, every 3 months, etc. 

Fundamentally, the RACI Matrix is a method aimed at enhancing the effectiveness of the Risk Management System implemented by an organization. The expectation is that if an organization or company develops a well-structured RACI Matrix, it will achieve: 

  • No overlap in duties and responsibilities when implementing the Risk Management System. 
  • Quicker decision-making and problem resolution. 
  • Clearer internal and external information distribution. 
  • Transparency regarding information in operating the Risk Management System. 

Hilman Badhi Adikara
Non-IT GRC Consultant
Robere & Associates (Indonesia)

 

OTHER INSIGHT POSTS
ISO 27001 Logistic Postal Sector
Implementation of ISO/IEC 27001:2022 Now Mandatory for the Postal and Logistics Sector Under Permenkomdigi No. 8 of 2025 Knowledge
Public Trust Through ISO/IEC 27701:2025
Building Public Trust Through ISO/IEC 27701 Implementation Knowledge

Leave a Reply

Consult with us