Bridging the "Silos"
April 2007
If we learned anything from September 11,
2001, it's that first responders must be able to communicate with one another.
The inability of emergency personnel to remain in contact and share information
proved one of the most debilitating failures of the terror disaster.
by Mark
Layton and Jody Noon
Deloitte & Touche
Although obviously not of the same magnitude, a similar problem plagues risk
management efforts at many organizations today. Corporate risk managers routinely
assess and respond to risks of all kinds while isolated and disconnected from
their counterparts across the company. Yet, without regular and frequent communication
among risk managers, corporate-wide integrated risk assessment and response
are not possible.
Given the way most companies institutionalize risk management, inadequate
communication should be no surprise. Whether risk is defined as avoiding threats,
identifying opportunities, or hopefully both, responsibility for risk management
often lies with risk specialists at the department level who typically dig themselves
into a vertically oriented "silo" within the broader organization.
While risk specialization is an essential component of intelligent risk management,
inward-looking risk specialists trained to see potential risks through the perspective
of departmental agendas are ill-prepared to recognize, much less deal with,
risks that transcend silo boundaries. The customer relations snafu that quickly
becomes a public relations disaster, or the data breach that becomes a major
litigation issue, might have been better dealt with if word were sent quickly
up and across the chain of command.
Unfortunately, the flow of information integral to optimal risk management
is not supported in an environment of department-bound risk managers. Nor is
this isolation problem limited to communications. Other problems endemic to
"silo-based" culture include:
- A failure to standardize risk management methodology, terminology, and
benchmarks to evaluate performance and results
- An inability to rely on contributions by risk managers in other departments
- Consequent duplication of effort throughout the organization
- An increased burden on business functions at all levels
Such conditions fail to promote the sharing of multiple risk assessments
and recommendations within the enterprise which can make it difficult—if not
impossible—for top managers to obtain an accurate and comprehensive "portfolio
view" of the nature and level of risk to which the entire company is actually
exposed.
To mitigate the impact of a "silo sensibility," some companies have transformed
their chief risk officer into a risk czar. Typically, such arrangements transfer
risk assessment responsibilities from multiple points to one point within the
organization. The impact is to transform an ineffective decentralized process of risk management
into an ineffective centralized process
in which mandates from the C-suite discourage risk assessment closer to operational
realities. Neither approach works. Neither positions corporate leadership to
deal effectively with either threats or opportunities.
The Risk Intelligence Approach
What does work is what we call a "Risk Intelligence" approach that bridges
compartmentalized departments by establishing a mutually supportive, reciprocal,
and shared responsibility among risk managers and high-level decision makers.
It consists of:
- Establishing common risk methodologies, terminology, and metrics to
ensure consistent risk management and reporting across the enterprise.
- An inclusive risk scenario process designed to quickly assess risks
and produce actionable cross-department risk mitigation plans.
- Increasing adoption of a corporate-wide perspective on the part of risk
managers while they maintain a thorough understanding of departmental agendas.
Simply put, neither departmental risk managers nor centralized risk czars
should be the true owners of corporate risk. That ownership belongs to business
unit executives and top leadership, both of whom are informed, educated, and
prepared to deal with potential risk when risk managers throughout the organization
are able to offer risk assessments and recommendations in an integrated and
self-sustaining process characterized by a simultaneous bottom-up and top-down
collaboration.
How to put such a process in place? Incrementally, through evolution not
revolution. The effectiveness and credibility in dealing with risk that comes
from true risk intelligence cannot be established overnight. It must be earned
in a step-by-step repositioning of people and resources over time that ultimately
will effectively deal with both threats and opportunities.
Jody Noon,
RN, JD, is the National Practice Leader for Life Sciences & Health Care Regulatory
at Deloitte & Touche LLP. She can be reached at jodynoon@deloitte.com or at (212)
436–2558.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.