A dashboard full of green can be reassuring, particularly for boards, audit committees and leadership teams who need to make sense of complex information quickly and focus their attention where it is most needed.
Green ratings can indicate that controls are in place, agreed actions have been completed, risk owners are engaged and known issues are being addressed. Used well, they are a helpful way of summarising assurance activity and providing a clear view of progress. However, when green becomes a shorthand for “everything is fine”, it can also create a level of comfort that is not fully supported by the underlying evidence.
The question is not whether green ratings are useful. They are. The more important question is whether they are telling the organisation enough about the risks that could prevent it from achieving its objectives.
In our recent article, The Questions Boards Should Be Asking About Risk and Assurance, we explored the need for boards and audit committees to look beyond the volume of assurance they receive and ask whether that assurance is genuinely helping them understand the risks that matter. This “sea of green” issue is closely connected to that challenge. Organisations may have extensive reporting, mature dashboards and well-maintained action trackers, but still lack a clear view of whether the most significant risks are being managed effectively.
A green status may confirm that a mitigation has been recorded, but not that it is operating as intended. It may show that an action has been closed, but not that the underlying exposure has reduced. It may indicate that a process is being followed, but not that the process is still the right one for the objective the organisation is trying to achieve.
As Donna Littlechild, Co-Founder at Littlechild & Haley, explains:
“The risk with a sea of green is that it can quietly shift the conversation from whether the organisation is managing risk to whether the organisation has completed the activity it said it would complete. Those are not the same thing. Internal audit should help leadership teams understand whether the key risks to success are genuinely being controlled, not simply whether the paperwork suggests that everything is on track.”
That distinction is particularly important where organisations are relying on significant mitigations in high-risk areas. A mitigation being “in place” is not the same as a mitigation being effective, consistently applied, owned by the right people, and capable of working under pressure. In many cases, the most valuable assurance comes from testing whether those mitigations are actually reducing risk in practice, rather than simply confirming that they exist.
In practice, the issue is often subtle. The green rating may not be wrong. It may accurately reflect that an action has been completed, a process has been followed, or a document has been produced. The challenge is whether that rating also tells leaders enough about the risk it is meant to address.
Where green reporting can still leave important questions unanswered
The following examples illustrate four common situations where a green rating may be accurate at one level, but still leave important questions unanswered about evidence, resilience and delivery.
Business continuity plans in place
Business continuity reporting may look positive because plans have been submitted across the organisation, but resilience depends on whether those plans have been tested, whether supplier dependencies are understood, and whether recovery assumptions would hold up in practice.
Project governance reporting green
Project governance can appear healthy when meetings are taking place, risks are logged and reports are being produced, but if milestones are slipping, dependencies remain unresolved or benefits are unclear, the programme may be under more pressure than the reporting suggests.
The common thread running through these examples is that assurance is most valuable when it is connected to purpose, not simply process. A green rating only becomes meaningful when it is clear what objective it relates to, what risk it is addressing, and what evidence supports the conclusion.
That is why objective-focused audit work is so important. Rather than starting with a process and asking whether expected controls are present, internal audit should begin with what the organisation is trying to achieve. What are the key objectives? What could prevent those objectives from being delivered? Which risks would have the greatest impact? Which mitigations are being relied on most heavily? Where would failure be most visible, costly or difficult to recover from?
This approach changes the nature of the assurance conversation. It moves the emphasis away from confirming activity and towards understanding whether the organisation is better placed to succeed. It also helps boards and audit committees ask more useful questions about the relationship between objectives, risks, controls and evidence.
A risk register, for example, may show a high-risk area as green because mitigations have been identified and actions have been completed. On paper, that may look appropriate. But the more useful assurance questions are likely to be: have the mitigations been tested? Are they working consistently across the organisation? Is there evidence that they are reducing exposure? Are they proportionate to the level of risk? Would they still operate effectively if circumstances changed?
Similarly, action closure can be an important indicator of progress, but it should not automatically be treated as evidence that risk has reduced. A completed action may update a policy, introduce a new review point or add a control into a process, but the assurance question is whether that action has changed the organisation’s risk position in a meaningful way.
For audit committees and leadership teams, a useful challenge is:
Green against what objective, what risk, and what evidence?
That question helps move reporting away from surface-level comfort and towards a more practical assessment of whether the organisation is managing the risks that matter most. It also supports the direction of travel within internal audit more broadly, where the focus is increasingly on strategic alignment, important risks and meaningful engagement with boards and senior management.
The Chartered IIA’s Internal Audit Code of Practice reinforces the importance of internal audit providing an overall opinion on the effectiveness of governance, risk and control frameworks, as well as whether risk appetite is being adhered to. That expectation cannot be met through action tracking alone. It requires assurance work that is sufficiently connected to the organisation’s objectives, risk appetite and material control environment.
This is why success-centred assurance is so important. Assurance should not only tell an organisation whether controls exist, but whether the organisation is managing the risks that could most affect delivery, resilience and performance. It should help leadership teams understand where confidence is justified, where further challenge is needed, and where green reporting may be concealing uncertainty.
At Littlechild & Haley, our approach is objective-focused, risk-informed and success-centred. We help organisations move beyond assurance that simply confirms controls exist, towards assurance that tests whether key risks are being managed and whether the organisation is better placed to achieve its objectives.
A sea of green should not automatically be a cause for concern. In some cases, it may reflect strong governance, effective risk ownership and controls that are operating well.
But it should always prompt curiosity.
Are we genuinely managing risk, or simply reporting activity?
If your assurance reports are green but the organisation still feels exposed, it may be time to ask different questions.
