Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Expert CommentaryFree Expert Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Claims ManagementClaims Management
Expand Construction Case StudiesConstruction Case Studies
Expand Construction QualityConstruction Quality
Expand Construction SafetyConstruction Safety
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Expand Courts and CoverageCourts and Coverage
Expand Cyber InsuranceCyber Insurance
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Collapse Enterprise Risk ManagementEnterprise Risk Management
Add Spreadsheets to Your Risk Inventory (July 2009)
The Role of the CIO in the Risk Intelligent Enterprise (February 2009)
Where Was Enterprise Risk Management? (November 2008)
Critical Role for the Chief Audit Executive: Aligning Risk Assessment (October 2008)
Chief Audit Executives and Risk Management Silos (March 2008)
Risk Management's Chief Audit Executive (December 2007)
Prescribing Risk Intelligence for the Life Sciences Sector (December 2007)
Enterprise Risk Management in Uncertain Times (October 2007)
Taking Risks To Create Value—It's What Capitalism's All About! (September 2007)
Risk Management Practices Cannot Be "Bolted On" (July 2007)
When Risks Marry and Multiply (June 2007)
Balancing Risk Probability and Vulnerability (May 2007)
Addressing the Full Spectrum of Risks (May 2007)
Bridging the "Silos" (April 2007)
Traditional Risk Management Inadequate To Deal with Today's Threats (March 2007)
The Alchemy of Enterprise Risk Management: Examples from the Investment World (December 2003)
Practical ERM Applications: Risk Integration (September 2003)
Implementing Enterprise Risk Management: Getting the Fundamentals Right (June 2003)
ERM Lessons Across Industries (March 2003)
Practical ERM Applications: Capital Allocation (November 2002)
Practical ERM Applications: Assessing Capital Adequacy (September 2002)
The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures (May 2002)
Implementing Enterprise Risk Management: The Emerging Role of the Chief Risk Officer (January 2002)
ERM and September 11 (November 2001)
Modeling the Reality of Risk: The Cornerstone of Enterprise Risk Management (July 2001)
Enterprise Risk Management in the Financial Services Industry: From Concept to Management Process (November 2000)
Enterprise Risk Management in the Financial Services Industry: Still a Long Way To Go (August 2000)
Enterprise Risk Management: What's Beyond the Talk? (May 2000)
Expand Environmental Risk ManagementEnvironmental Risk Management
Expand EthicsEthics
Expand Global ImpactGlobal Impact
Expand Insurance ArchaeologyInsurance Archaeology
Expand InternalControlInternalControl
Expand Litigation ManagementLitigation Management
Expand MaritimeLawMaritimeLaw
Expand MediationMediation
Expand Political RiskPolitical Risk
Expand Privacy IssuesPrivacy Issues
Expand ReinsuranceReinsurance
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Chief Audit Executives and Risk Management Silos

March 2008

Neither wholly "good" nor "bad," risk management silos are a conundrum for any organization. A "Risk Intelligent" chief audit executive can bridge these silos and boost the company's risk management capabilities.

by Mark Layton and Jean-Pierre Garitte
Deloitte & Touche

Silos—or autonomous units—exist in most, if not all, organizations. This is generally well known and should not come as a shock. Neither should it be a surprise that risk management efforts can also become "siloed." But silos present both advantages and disadvantages where risk management is concerned.

Silos: Pros and Cons

On the positive side, silos enable risk specialization, with the finance department managing credit risk, the IT department handling security and privacy risks, and so on. Such specialization is an essential component of intelligent risk management.

On the negative side, however, silos allow risk specialists to work in organizational, and even physical, isolation. Different units within the enterprise bring to bear different philosophies and approaches. In the extreme, silos can become miniature ecosystems, each with its own culture, jargon, and practices.

A siloed state can lead to a host of problems, including duplication of effort, risk of unidentified gaps, lack of standard methodology, increased burden on the business, lack of appropriate reliance on one another's work, and absence of information sharing. All of which makes it extremely difficult—if not downright impossible—to fully understand and manage the totality of risks facing a company.

What's more, while organizational silos might work in isolation, risks certainly don't. A privacy risk, for example, can evolve into a reputational risk, a litigation risk, or a financial risk, all in rapid order.

Adopting a Portfolio View of Risk

The challenge for the chief audit executive (CAE), then, is to promote the integration of risk management information across organizational boundaries. By facilitating the development of a uniform corporate governance, risk management, and compliance framework, which is technology enabled, the CAE can bring about a better understanding of risks and how risks interact to help the organization formulate a stronger response to risks.

CAEs can also help risk specialists develop a common risk language, as well as a shared methodology for identifying, assessing, and measuring risk. This could enable the company to reduce the number of multiple risk and control self-assessments that are being performed, while yielding better information and business intelligence.

The lack of a comprehensive, or "portfolio," view of risk is an almost universal problem. When a company manages risk in silos, it can end up blind to the relationships between risks. For example, a company may set out to consolidate its product fulfillment centers as a way to reduce operational costs and risk; but at the same time, it may undertake a strategic risk and launch several new products that end up having little administrative or operational support on the back-end. As a result, order fulfillment and billing may be delayed, and customer dissatisfaction may run high. And the company's share price could plunge because the company did not consider the total risk picture.

Need another example? Consider third-party relationships. The legal department typically handles contracts and agreements when third-party relationships are initiated. But provisions often fail to factor in associated accounting and IT requirements, as well as controls monitoring or metrics tracking to ensure contract compliance. By taking all the appropriate functions within the company into consideration, a holistic view of outsourcing and third-party risks would result in a more efficient and effective risk management process.

CAEs can facilitate a portfolio view of risk by emphasizing cross-departmental sharing of lessons learned. The objective is to shift individuals' focus from a local perspective to an enterprise-wide response that effectively cuts across functions.

Harmonize, Synchronize, and Rationalize

As noted above, the multifaceted process of bridging organizational barriers to risk intelligence requires the development of a uniform framework. This framework can be divided into the following three tasks.

  1. Harmonization—standardizing policies, practices, and reports, and establishing a common language for risk management. This can lead to a better understanding and management of risk interactions. It can also improve access to, and comfort with, risk specialists across the organization.

  2. Synchronization—implementing cross-functional coordination for improved anticipation, preparedness, first response, and recovery. By developing a coordinated workflow, workload demands of various constituencies can be smoothed out. This helps to avoid unmanageable spikes as well as lighten the burden on the business.

  3. Rationalization—working in conjunction with others, CAEs can help to reduce or eliminate duplication of effort with respect to assessment, testing, and reporting. This can be achieved, in part, through the deployment of new technology or with better utilization of existing technology. Rationalization also has the added benefit of reducing the expense burden on the business.

Conclusion

Even the most forward-thinking companies have experienced the disadvantages of silos. While CAEs should not assume accountability for risk intelligence, they can play a vital role in bridging these silos—and in improving their companies' risk intelligence capabilities.

Jean-Pierre Garitte is a partner in the enterprise risk services practice at Deloitte Belgium. He may be reached at + 32 2 800 23 11 or at jpgaritte@deloitte.com.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

More Risk Management Information from IRMI
Books, Manuals, Newsletters IRMI
Online 		SilverPlume
Sage
Practical Risk Management IRMI Online SilverPlume Sage
The Risk Report IRMI Online SilverPlume Sage
Construction Risk Management IRMI Online SilverPlume Sage
Contractual Risk Transfer IRMI Online SilverPlume Sage
Risk Financing IRMI Online SilverPlume Sage
Exposure Survey Questionnaire IRMI Online SilverPlume Sage
Guidelines for Insurance Specifications IRMI Online SilverPlume Sage
How To Draft and Interpret Insurance Policies
IRMI Insurance Checklists IRMI Online SilverPlume Sage
RMIS Review IRMI Online
Free Risk Management Articles in IRMI.com
25 Risk-Conquering Ideas
Risk Management
Effective Contractual Risk Transfer in Construction
Risk Management - Why and How
Insurance Continuing Education Courses from IRMI
Litigation Management (CE)
Contractual Risk Transfer in Construction (CRIS CE)
Check It Out
Save 36% with the IRMI Professional Library
© 2000-2009 International Risk Management Institute, Inc. (IRMI). All rights reserved.