Why your traffic light risk assessments aren’t protecting you from anything

Don't entrust your business to traffic lights...

If you hired a risk analyst, and the only three things they ever said were ‘Yes’, ‘No’ and ‘Maybe’, you’d probably start to question how much they really knew, right?

So why do we do exactly the same thing when we produce risk reports? It might be a bit of an oversimplification, but that’s all a traffic light risk assessment really is; green (yes), red (no) and amber (maybe).

Are your traffic light risk assessments really telling you anything? 🔴 No.

Is there a better way we can assess risk that will actually help your business? 🟢 Yes.

Should you be using traffic light systems in your risk assessments at all? 🟡 Maybe.

… Okay, don’t worry, we’ll go into more detail than that.

What are traffic light risk assessments?

I won’t labour the point here, but allow me to briefly outline what a traffic light risk assessment is and why they have become the standard method across many industries. From there, the flaws in this system will likely already stick out to you, and we can dive into the consequences of those flaws and how we can fix it.

So, what is a traffic light risk assessment?

Traffic light risk assessments are a risk review format that judges the level of risk of certain factors and categorises them as either Green (low risk), Amber (moderate risk), or Red (high risk). They are used to summarise a wide array of inputs, data and information into easy-to-understand scores that deliver an overview of risk exposure.

The 3 key flaws of traffic light risk assessments

1. Imprecise and over-simplified

When traffic lights represent something simple, they are effective. Red; stop. Green; go. This intuitively makes sense and allows for instant interpretation of signals. But when has quantifying risk ever been simple?

To be fair and avoid bias, I must admit that the simple nature of a traffic light system is both a strength and a weakness in risk assessments. The issue here is that the weakness completely undermines the benefits.

Traffic lights make risk assessments quick and easy to understand at a glance, and that shouldn’t be underestimated, particularly when multiple stakeholders are in-play. However, to get to this level of simplification we have essentially boiled all of the complexities and almost immeasurable influences of how much risk any given threat poses down to a scale of just 1-3.

I would argue that for a risk assessment to be even remotely worth the time and effort it takes to carry out in the first place, it would need to offer the granularity and depth of insight that even a 1-5 or 1-10 scale cannot offer. This is why the Binderr platform calculates risk scores out of 100, because that size of a range offers the flexibility and level of nuance that an honest and thorough assessment of a risk landscape contains, while remaining easy and intuitive to understand (don’t even get me started about decimals in a 1-10 scale - that’s just a 1-100 scale made needlessly more complicated).

2. Reliance on intuition over data

Reader, do me a quick favour and look outside your nearest window.

Which way is the wind blowing?

Without looking anything up online: How will that wind direction affect the chances of rain today?

Maybe you’re a qualified meteorologist and you know how to answer that, maybe you can see rain clouds to the east and they’re moving your way, or, more likely, you’re just using a little bit of intuition to make a reasonable guess.

When you really get down to it, that’s all your traffic light system really is. You’ve put your finger up in the air, felt the way the wind was blowing, and said ‘this risk factor feels like an amber to me.’

Let’s take an example to illustrate the issue here:

You’re a law firm performing a risk assessment on a potential new customer. This customer is well within your target risk profile in every way, except they service customers in jurisdictions that you have little experience with. Everything else is above board, but now you’re asked to judge the risk level of dealing with matters in Turkey or Jamaica. Neither show up on the high-risk jurisdictions list at present, and the business they have there is all above board - in fact, the client themselves isn’t even based there.

Is this a red, or an amber?

If they dealt with clients in Monaco, but weren’t based in Monaco themselves, does this make it a red by default? Or do they remain amber, or even green?

What is the empirical evidence behind that decision making, or is it just a hunch?

3. Lack of context for decision making

Take a look back at a traffic light risk assessment produced over 1 month ago.

Can you recall and provide the reasoning behind the scores provided with any confidence? Is there a clear and auditable methodology behind each and every result?

Beyond that, let’s fast forward:

You’ve finished the risk assessment and now, it’s decision time. Yourself and your fellow Partners, Directors and Compliance Officers are reviewing the report to come to a decision on whether to take onboard this new client.

The Managing Partner is excited at the prospect of this lucrative opportunity, and has the champagne ready. The Compliance Officers, less so. Due to complications in the onboarding process, the risk assessment took considerably longer than usual to complete, and now there are elements of the assessment that rely on the fallible memories of those who carried it out.

What do you decide? And can you decide with any real confidence?

How sure are you about the risk of further consequences?

This reason and those above may seem hypercritical, but if you cannot trust your risk assessments to safeguard your business against threats, are they worth their salt? What is the purpose of a risk assessment at all if not to offer awareness and protection against potential hazards?

How does relying on traffic lights leave you vulnerable?

Traffic light risk assessments are too imprecise, too subjective, too vague and too human to adequately protect you and your business from anything. They leave you in a grey area, uncertain of your exposure and even less certain of what might result from decisions you make.

These kinds of grey areas are not a place you want your business or your clients to be in. The unknown is something businesses go to great lengths and even greater costs to avoid, just ask any of the world’s millions of statisticians, analysts, and data scientists.

A traffic light system; a rating out of 5, or even 10; a thumbs up or down. These are not effective methods of assessing risk, and defaulting to these systems of analysis simply because that’s all you’ve known, all you’re asked to do, or all you can afford to do right now is a grievous mistake that can prove fatal for any business.

How do you change this to protect your business?

Now we’re at the fun, hopeful bit:

It’s really, really easy to take a traffic-light risk assessment and make it actually valuable for your business.

It’s simply a case of drilling down a little bit deeper and turning to objective data to answer the same questions you already answered before.

You still set parameters that match your risk tolerance, but instead of red to green (or 1-3), expand that to 100. Look to aggregate data to answer questions instead of your own judgements. If a client deals in cryptocurrency assets and that used to be a ‘red’, instead answer how much of a risk out of 100 is it? Do the types of cryptocurrencies affect this? Do the number of addresses tied to their wallet? Bring these nuances into your scale.

Do the same for jurisdictions, for sources of wealth, for the involvements of beneficial owners--for everything. What you get when you set these parameters and place them within a broader scale is more context, and that deeper context allows you to make more deliberate, precise judgements based on the data in front of you.

• A client is not longer a ‘green’, they are a ‘3 out of 100’, or, one hell of a safe bet.
• A client is no longer a ‘red’, they are a ‘68 out of 100’, or much less risky than that simple red light initially made you think (though still riskier than you may perhaps like).

Turning to technology for simplification

Instead of oversimplifying the analysis you produce in your risk assessments, instead simplify the processes and way you undertake a rigorous analysis. Turn to technology, like Binderr and like many other risk assessment platforms out there, to shoulder the burden of data capture and visualisation.

Make it easy to go through the process of producing a risk assessment, don’t make the assessment itself easy.

Risk clarity, powered by Binderr

Binderr Risk is a key pillar of the Binderr platform, and perhaps one of its best features. I am fortunate to have worked with experts in operational risk and resilience and tech vendors alike in my career, and have seen the solutions powering some of the largest organisations and institutions in the world, such as NATO, The Red Cross, and more than 40 of the largest banks in the world. In my opinion, Binderr Risk offers one of the best and most advanced risk assessment tools available today.

It provides the perfect balance of analysis and ease of use. It is at once easy to understand yet nuanced in the depth of insight it provides. It’s blend of the most advanced jurisdictional risk system I have seen and aggregation of data from 1000s of sources provides risk scores you can trust to inform decisions and safeguard your business against risk.

You can learn more about the industry-leading Binderr Risk features here: