Chief Audit Executives and Risk Management Silos
March 2008
Neither wholly "good" nor "bad," risk management
silos are a conundrum for any organization. A "Risk Intelligent" chief audit
executive can bridge these silos and boost the company's risk management capabilities.
by Mark
Layton and Jean-Pierre Garitte
Deloitte & Touche
Silos—or autonomous units—exist in most, if not all, organizations. This
is generally well known and should not come as a shock. Neither should it be
a surprise that risk management efforts can also become "siloed." But silos
present both advantages and disadvantages where risk management is concerned.
Silos: Pros and Cons
On the positive side, silos enable risk specialization, with the finance
department managing credit risk, the IT department handling security and privacy
risks, and so on. Such specialization is an essential component of intelligent
risk management.
On the negative side, however, silos allow risk specialists to work in organizational,
and even physical, isolation. Different units within the enterprise bring to
bear different philosophies and approaches. In the extreme, silos can become
miniature ecosystems, each with its own culture, jargon, and practices.
A siloed state can lead to a host of problems, including duplication of effort,
risk of unidentified gaps, lack of standard methodology, increased burden on
the business, lack of appropriate reliance on one another's work, and absence
of information sharing. All of which makes it extremely difficult—if not downright
impossible—to fully understand and manage the totality of risks facing a company.
What's more, while organizational silos might work in isolation, risks certainly
don't. A privacy risk, for example, can evolve into a reputational risk, a litigation
risk, or a financial risk, all in rapid order.
Adopting a Portfolio View of Risk
The challenge for the chief audit executive (CAE), then, is to promote the
integration of risk management information across organizational boundaries.
By facilitating the development of a uniform corporate governance, risk management,
and compliance framework, which is technology enabled, the CAE can bring about
a better understanding of risks and how risks interact to help the organization
formulate a stronger response to risks.
CAEs can also help risk specialists develop a common risk language, as well
as a shared methodology for identifying, assessing, and measuring risk. This
could enable the company to reduce the number of multiple risk and control self-assessments
that are being performed, while yielding better information and business intelligence.
The lack of a comprehensive, or "portfolio," view of risk is an almost universal
problem. When a company manages risk in silos, it can end up blind to the relationships
between risks. For example, a company may set out to consolidate its product
fulfillment centers as a way to reduce operational costs and risk; but at the
same time, it may undertake a strategic risk and launch several new products
that end up having little administrative or operational support on the back-end.
As a result, order fulfillment and billing may be delayed, and customer dissatisfaction
may run high. And the company's share price could plunge because the company
did not consider the total risk picture.
Need another example? Consider third-party relationships. The legal department
typically handles contracts and agreements when third-party relationships are
initiated. But provisions often fail to factor in associated accounting and
IT requirements, as well as controls monitoring or metrics tracking to ensure
contract compliance. By taking all the appropriate functions within the company
into consideration, a holistic view of outsourcing and third-party risks would
result in a more efficient and effective risk management process.
CAEs can facilitate a portfolio view of risk by emphasizing cross-departmental
sharing of lessons learned. The objective is to shift individuals' focus from
a local perspective to an enterprise-wide response that effectively cuts across
functions.
Harmonize, Synchronize, and Rationalize
As noted above, the multifaceted process of bridging organizational barriers
to risk intelligence requires the development of a uniform framework. This framework
can be divided into the following three tasks.
-
Harmonization—standardizing policies,
practices, and reports, and establishing a common language for risk management.
This can lead to a better understanding and management of risk interactions.
It can also improve access to, and comfort with, risk specialists across
the organization.
-
Synchronization—implementing cross-functional
coordination for improved anticipation, preparedness, first response, and
recovery. By developing a coordinated workflow, workload demands of various
constituencies can be smoothed out. This helps to avoid unmanageable spikes
as well as lighten the burden on the business.
-
Rationalization—working in conjunction
with others, CAEs can help to reduce or eliminate duplication of effort
with respect to assessment, testing, and reporting. This can be achieved,
in part, through the deployment of new technology or with better utilization
of existing technology. Rationalization also has the added benefit of reducing
the expense burden on the business.
Conclusion
Even the most forward-thinking companies have experienced the disadvantages
of silos. While CAEs should not assume accountability for risk intelligence,
they can play a vital role in bridging these silos—and in improving their companies'
risk intelligence capabilities.
Jean-Pierre
Garitte is a partner in the enterprise risk services practice at
Deloitte Belgium. He may be reached at + 32 2 800 23 11 or at
jpgaritte@deloitte.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.