Home > Risk > Silos are thriving even in ERM programs

Silos are thriving even in ERM programs

November 15, 2019 Leave a comment Go to comments

You are the captain of a ship that is sailing from Singapore to Auckland with a cargo that needs to be kept cold and will lose its freshness if you don’t arrive within a few days of your schedule.

The navigator bounds onto the bridge, brandishing a sheaf of papers. “There’s stormy weather ahead, captain! I recommend changing course to bypass the cyclones that are forming. It will delay our arrival by 48 hours, but at least we will be safe.”

The engineer hears the shouting and tells you that any delay of more than a few hours will be a problem. “I canna keep the engines running and the refrigeration going at full power for two extra days. We will run out of fuel.”

At this, the second officer reminds you that any delay will cost the company a great deal of money. “If we don’t deliver the cargo on time, it will degrade and we will incur a huge performance penalty.”

The safety officer steps forward. “If we sail through these cyclones, we are exposing the crew to danger that is avoidable. It would be a violation of our safety procedures and protocol.”

You have to make a decision.

You have to understand the problem, consider the options, and then take the necessary actions.

In order to do that, you need to weigh all the possibilities together, not one at a time.

But that’s what addressing a variety of risks (or sources of risk) one at a time does. It fails to see and take action based on the big picture.

Traditional risk management, even when it is called enterprise risk management, simply puts together a list of risks. It doesn’t help you see how they, collectively, should affect your strategies and how you achieve them. It doesn’t help you weigh the pros and cons of each option.

Fortunately, Able Seaman Jones steps forward (after giving you a cup of coffee).

“Captain, sir! I’m taking an MBA course and have learned about some techniques, like Monte Carlo simulation, that will help you take all of these issues and give you an idea of the overall costs and benefits of the various options. With your permission, I can work with your officers and use the information each has developed to provide you with the information that should help you make the best decision for the company.”

World-class risk management (as described in my book of that name, updated by the discussions in Making Business Sense of Technology Risk) not only breaks down the silos but takes the information from individual areas such as Compliance, Safety, Sales, Marketing, Finance, Engineering, Supply Chain, and so on to compile and provide leaders with the big picture analyses they need.

Sadly, I keep seeing silos not only continuing but growing in number. For example, there is separate and isolated discussion of:

  • Cyber risk management
  • Safety risk management
  • Project risk management
  • Credit risk management
  • Operational risk management
  • Strategic risk management
  • Financial risk management
  • Third party risk management
  • Extended enterprise risk management (a new one to me, recently pushed by Deloitte)
  • Digital risk management
  • Supply chain risk management
  • And so on

Risk practitioners need to turn their attention to providing leaders and decision-managers at all levels with the information they need to make the informed and intelligent decisions necessary to achieve enterprise objectives.

Stop providing them with what you want to say about risk. Start providing them with the information they need to run the organization and achieve success.

A list of risks, or a heat map (no matter how pretty), simply doesn’t cut it.

If I was on the board or was CEO and was given a list of risks or a heat map, I would ask “what does this mean and how does it help me run the business,” send it back, and ask for something that will help me do my job!

Instead of talking about this risk management or that risk management, enterprise risk management or integrated risk management, let’s talk about effective management – how to achieve enterprise objectives. Manage success, not risk.

I welcome your comments.

  1. November 15, 2019 at 9:04 PM

    What did Captain Jones decide and do? Why did he do what he decided to do? Did Monte Carlo really help? What to do about the unknown unknowns?

    • Norman Marks
      November 16, 2019 at 7:10 AM

      The fact that it is not clear what he should do with just these individual reports makes it very clear more is needed: some way to see the big picture and weigh all the pros and cons. A list of risks is insufficient.

  2. Grant Purdy
    November 15, 2019 at 9:37 PM

    I’ve never been able to rationalise why people categorise risk according to a consequence type or organisational activity. The only way that makes sense (if you believe that you understand what ‘risk’ means – and I don’t) is according to causation.

    On the other hand, I can understand that job preservation and enhancement are strong drivers for silo creation. Even then, letting the IT department look after IT risks and the credit department look after credit risks, as examples, is like letting the fox look after the hen house!

    Of course, all this is just part of the meaningless farce that risk management has become. Even among the ‘experts’ in different types of ‘risk management’ who advocate the adoption and practice (often to earn their living) of a particular set of paradigms and methods, the term has no settled meaning or even clarity as to purpose. Instead, the clumsy constructs and confected, ever-expanding jargon of its many versions complicate rather than improve decision-making.

    All the forms of ‘Risk management’ are just labels for a belief systems that are promoted – often with evangelical enthusiasm – as if their name alone is an indispensable and fundamental truth. Often, its particularly important that a particular belief system is described by a three letter acronym (like ERM, SRM, IRM, GRC., etc, etc) to give it some mystique and special identity.

    And, of course, like other religions and beliefs systems, each tribe or denomination has its own set of symbols and ‘truths’ based on unvalidated assertions and concepts, a unique confected jargon manifesting as real knowledge and is defined by its label rather than what it means or actually achieves.

    Of course, Norman, respected authors who write books on just one type of risk management (Technology Risk, for example) only help to perpetuate the silos and emphasise particular, whacky believe systems.

  3. Gary Lim
    November 17, 2019 at 5:28 AM

    When you said ” takes the information from individual areas …” doesn’t it mean you are taking from EACH SILO if not where do you get the information. Personally I view it as 2 separate area of responsibilities SILO for the individual probably at Supervisory level, they must have to take care of their areas say safety. To compile and related them for the benefit for Management to use, it is another person who has the ability to comprehend and link all the silos into something useful. Silo is the input which I would respect.

    As for the case you mentioned, Someone is paid to decide based on the input from the staff, the Captain who makes a calculated risk and proceed with the action period!

  4. Gregory Sosbee
    November 18, 2019 at 8:53 AM

    Norman, while I am not sure of your example, I am completely on board with your last five content related paragraphs. Risk Management Rule 1 (Risk = Risk) should blow apart any notion that each exposure subset should have its place, and Rule 5 (Only one risk management program with common nomenclature, protocols, and measurements) describes how the ERM program has to be designed, implemented and managed. (The silo list in your commentary is an exposure list, not a risk list.)

    As an example, just last week, I read an article written by a high-level Deloitte Partner describing what was labeled as an “Extended Risk Management Program” for vendor/supplier risk management. (In fact, if you tack on a separate ERM program for vendors, you also have to tack on the same type of program for customers. Total rubbish.) In an ERM Environment, all risks of the organization are included; thus, no need to introduce another one-off program that only duplicates what should already be standard risk management practice, and just adds to the confusion.

  1. November 25, 2019 at 4:49 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: