Chief Audit Executives and Risk Management Silos
Mark Layton | March 1, 2008
Neither wholly "good" nor "bad," risk management silos are a conundrum for any organization. A "Risk Intelligent" chief audit executive can bridge these silos and boost the company's risk management capabilities.
Silos—or autonomous units—exist in most, if not all, organizations. This is generally well known and should not come as a shock. Neither should it be a surprise that risk management efforts can also become "siloed." But silos present both advantages and disadvantages where risk management is concerned.
Silos: Pros and Cons
On the positive side, silos enable risk specialization, with the finance department managing credit risk, the IT department handling security and privacy risks, and so on. Such specialization is an essential component of intelligent risk management.
On the negative side, however, silos allow risk specialists to work in organizational, and even physical, isolation. Different units within the enterprise bring to bear different philosophies and approaches. In the extreme, silos can become miniature ecosystems, each with its own culture, jargon, and practices.
A siloed state can lead to a host of problems, including duplication of effort, risk of unidentified gaps, lack of standard methodology, increased burden on the business, lack of appropriate reliance on one another's work, and absence of information sharing. All of which makes it extremely difficult—if not downright impossible—to fully understand and manage the totality of risks facing a company.
What's more, while organizational silos might work in isolation, risks certainly don't. A privacy risk, for example, can evolve into a reputational risk, a litigation risk, or a financial risk, all in rapid order.
Adopting a Portfolio View of Risk
The challenge for the chief audit executive (CAE), then, is to promote the integration of risk management information across organizational boundaries. By facilitating the development of a uniform corporate governance, risk management, and compliance framework, which is technology enabled, the CAE can bring about a better understanding of risks and how risks interact to help the organization formulate a stronger response to risks.
CAEs can also help risk specialists develop a common risk language, as well as a shared methodology for identifying, assessing, and measuring risk. This could enable the company to reduce the number of multiple risk and control self-assessments that are being performed, while yielding better information and business intelligence.
The lack of a comprehensive, or "portfolio," view of risk is an almost universal problem. When a company manages risk in silos, it can end up blind to the relationships between risks. For example, a company may set out to consolidate its product fulfillment centers as a way to reduce operational costs and risk; but at the same time, it may undertake a strategic risk and launch several new products that end up having little administrative or operational support on the back-end. As a result, order fulfillment and billing may be delayed, and customer dissatisfaction may run high. And the company's share price could plunge because the company did not consider the total risk picture.
Need another example? Consider third-party relationships. The legal department typically handles contracts and agreements when third-party relationships are initiated. But provisions often fail to factor in associated accounting and IT requirements, as well as controls monitoring or metrics tracking to ensure contract compliance. By taking all the appropriate functions within the company into consideration, a holistic view of outsourcing and third-party risks would result in a more efficient and effective risk management process.
CAEs can facilitate a portfolio view of risk by emphasizing cross-departmental sharing of lessons learned. The objective is to shift individuals' focus from a local perspective to an enterprise-wide response that effectively cuts across functions.
Harmonize, Synchronize, and Rationalize
As noted above, the multifaceted process of bridging organizational barriers to risk intelligence requires the development of a uniform framework. This framework can be divided into the following three tasks.
- Harmonization—standardizing policies, practices, and reports, and establishing a common language for risk management. This can lead to a better understanding and management of risk interactions. It can also improve access to, and comfort with, risk specialists across the organization.
- Synchronization—implementing cross-functional coordination for improved anticipation, preparedness, first response, and recovery. By developing a coordinated workflow, workload demands of various constituencies can be smoothed out. This helps to avoid unmanageable spikes as well as lighten the burden on the business.
- Rationalization—working in conjunction with others, CAEs can help to reduce or eliminate duplication of effort with respect to assessment, testing, and reporting. This can be achieved, in part, through the deployment of new technology or with better utilization of existing technology. Rationalization also has the added benefit of reducing the expense burden on the business.
Conclusion
Even the most forward-thinking companies have experienced the disadvantages of silos. While CAEs should not assume accountability for risk intelligence, they can play a vital role in bridging these silos—and in improving their companies' risk intelligence capabilities.
Jean-Pierre Garitte is a partner in the enterprise risk services practice at Deloitte Belgium. He may be reached at + 32 2 800 23 11.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
