Silos, or autonomous units, can exist in most organizations. It’s no surprise that risk management can be divided into “siloed” functions, and it’s commonly done. Among their advantages: Silos can enable risk management specialization by business unit. For example, in a siloed structure the finance department can manage credit, interest, market and liquidity risks, while the information technology department can handle security and privacy perils. Such specialization is an essential component of developing a rich variety of risk management expertise within the organization.
But on the negative side, silos allow risk specialists within a business unit to work in physical isolation and inhibit collaboration with other business units. Problems can arise when those different business bring to bear different risk philosophies. In extreme cases, silos can become miniature ecosystems, each with its own risk culture and practices.
Managing risks in a siloed way can lead to a host of other problems, including duplication of risk-mitigation efforts, gaps in the analysis of risks, lack of a process to aggregate critical risks, and an absence of sharing risk information across the organization. All of those problems make it extremely difficult to fully understand and manage the key risks facing an organization. While companies can operate in separate business units, a single risk is capable of affecting many different parts of the organization. A privacy risk, for example, can evolve into reputational risk, a litigation risk, or a financial risk, in rapid order.
The challenge for CFOs is to promote a method for sharing risk information across organizational boundaries. By fostering the development of a unified risk management strategy, finance chief can drive a better understanding of how risks are correlated and interact with one anothe. CFOs can also help risk specialists develop a common risk language, as well as a shared methodology for identifying, assessing and measuring risks. Those steps are likely to result in a transparent approach in which all stakeholders are aware of the critical risks in and have a unified approach in addressing them.
Why Silos Miss the Mark
There might be resistance to changing a siloed risk management organization. In such cases, how can CFOs demonstrate the deficits of a siloed approach? The ways silos can cause companies to miss the mark can be illustrated with the following example. A company may set out to consolidate its product fulfillment centers as a way to reduce operational costs and risk. But at the same time it may undertake a strategic risk by launching several new products that end up having little administrative or operational support. As a result, order fulfillment and billing may be delayed, and customer dissatisfaction may run high. The company’s share price could plunge because the company didn’t consider the total risk picture.
Another example: third-party relationships, including outsourcing. The legal department typically handles contracts and agreements when third-party relationships are initiated. Provisions may fail to factor in associated accounting and IT requirements, as well as the risk controls needed to track and ensure contract compliance. But taking all the appropriate functions within the company into consideration can create a more efficient and effective risk management process. CFOs should promote a portfolio view of risk that stresses cross-departmental sharing of lessons learned from past outsourcing risks taken.
Before the financial crisis, Royal Bank of Scotland was considered to have a well-staffed risk management function. In a 2010, a report by the Chartered Institute of Management Accountants found, however that there were three large weakness in RBS’s risk management program:
1) Risk was being monitored in individual divisions, and this siloed approach allowed overalls risk to develop unchecked.
2) An overly aggressive risk culture.
3) A heavy dependence on mathematical risk models that tended to show that the bank’s risk levels were acceptable.
Faced with an ever greater tension between the needs of driving up returns and managing risk conservatively, RBS erred on the side of the former by relying on a highly mechanical analysis of risk exposure. Says the report: ‘That process ticked all the compliance boxes, but was rarely reviewed in terms of judgments, rather than just mathematical models.”
Moreover, warnings fell on deaf ears. “Professional risk managers appear not to have had either the authority or the influencing skills to change the approach to risk,” the report adds. “And because operational managers were remunerated on financial performance, without sufficient reference to long term risk factors, there was limited incentive to look more deeply at either localized risks, or the build up of cross-departmental risk dependencies.”
RBS’s situation was summed up by Stephen Hester, who Sir Fred Goodwin as chief executive officer. Hester told members of the Scottish Parliament: “It wasn’t detailed risks that made RBS weak. It was the big macro imbalances.”
A Multifaceted Process
CFOs can address silo problems in their companies via a multifaceted process that bridges organizational barriers to risk intelligence and relies on a uniform framework. This framework can be divided into the following three tasks.
1) Standardizing policies, practices and reports, and establishing a common language for risk management. This can lead to a better understanding and management of risk interactions. It can also improve access to, and comfort with, risk specialists across the organization.
2) Implementing cross-functional coordination for improved anticipation, preparedness, first response and recovery. By developing a coordinated workflow, workload demands of various constituencies can be smoothed out. That helps to avoid unmanageable spikes as well as lighten the burden on the business.
3) Working in conjunction with others in the organization, CFOs can help to reduce or eliminate duplication of effort with respect to assessment, testing and reporting. That can be achieved, in part, through the deployment of new technology or with better use of existing technology. Such efficiencies also have the added benefit of reducing the expense burden on the business.
Once risks have been assigned to the appropriate risk owner in the organization, there also needs to be a process in place to monitor and report the critical risks to the decision-makers in the organization. That can only be done effectively when a silo-based approach to risk management is eliminated and replaced with a more transparent risk culture unafraid to recognize and respond to the current state of risk in the organization.
John Bugalla is a principal with ermINSIGHTS, and Kristina Narvaez is president and CEO of ERM Strategies LLC.
Photo credit: dsearls