August 12, 2019
Breaking Down the Silos in Managing risk
By Michael Berman, Founder and CEO, Ncontracts
There’s a difference between risk management that starts at the top and risk management that trickles up.
When risk management starts at the top it is thorough and unified. Risk tolerances and risk appetite drive strategic decisions – all decisions. Everyone is following the same approach. In contrast, when risk management trickles up, it’s anyone’s guess what’s really happening. Each business line, department or area does what it wants, how it wants, with no regard for the big picture. It’s a huge waste of resources that creates redundancies, inefficiencies and discrepancies.
The trickle-up approach may have worked in the past when risk management was limited to credit risk, but not today. As regulatory guidance has expanded the scope of regulations over the past few years, the overlap between different areas of risk management has grown significantly. Enterprise risk management, business continuity planning, compliance, cybersecurity and vendor management can no longer be thought of as standalone elements of an institution’s operational risk management program – they are intertwined.
At too many institutions, the IT department handles cybersecurity, compliance tackles vendor management and someone else in IT oversees business continuity planning. The result is an organization comprised of silos. Each team meticulously follows regulatory requirements and best practices for risk management – without ever considering the possibility that someone else in the institution might be tackling a similar task.
Consider security breaches of critical vendors. They touch at least five key areas of risk management:
1. Vendor management
Regulators want institutions to know what provisions and policies are in place to ensure notification of a security breach at a critical third-party vendor.
FFIEC’s Cybersecurity Assessment Tool specifically asks if all critical vendors are required by contract to notify the institution when there is a security breach.
3. Business continuity planning
An institution should know how long it will take critical vendors to notify it of a security breach.
The Gramm-Leach-Bliley Act specifically mentions that vendors with access to protected data should be required to notify the institution of a security breach.
5. Enterprise risk management
The institution needs to determine if critical vendors are required to notify it of a security breach.
In theory, overlapping requirements like these should make risk management simpler for institutions – one person or team can address these concerns and report back to everyone who needs the information. But that’s not always what happens. Too often institutions rely on a decentralized approach to risk management, which is a problem for three reasons.
Consider the aforementioned security breach. There could be five or more groups compiling lists of third-party vendors, assessing the criticality of individual vendors and determining which vendors should report breaches and when. When it comes time to test controls, each control is tested five times instead of simply testing it once and sharing the findings with everyone involved. This repetition isn’t thorough – it’s just a waste of time and resources.
There may also be five or more teams monitoring and setting policy for security breaches of critical vendors. Instead of working cooperatively to leverage resources and information, each group starts from scratch. The compliance department doesn’t benefit from IT’s knowledge of cybersecurity. The vendor management and contract teams don’t necessarily understand the expectations of business continuity planning. Enterprise risk management isn’t providing the overall leadership needed to make the process function smoothly. It’s a waste of expertise.
When different groups share overlapping responsibilities and don’t realize it, it can create conflict as each group sets different standards and notification times. For instance, the IT team may require breach notification within one hour, while compliance may say 24 hours. Meanwhile, each group may be using different standards to assess the risk of vendors, resulting in different results. Discrepancies like these are red flags for regulators.
Institutions can avoid these problems with a unified approach to risk management – putting in place systems to connect disparate functions and areas so that every requirement can be studied from multiple perspectives. Enterprise risk management should serve as an umbrella for all other areas of risk management – including compliance. Not only does this ensure that an institution’s business strategies are integrated into risk decisions, it also centralizes data so risk management can be viewed holistically.
FIGURE 1: Siloed Decision-Making
ERM Simplifies Banking
The idea of top-down risk management can intimidate institutions where the function is currently spread out. After all, existing processes may appear to be working. However, what seems easier or faster isn’t always right. Just look at the difference between making a strategic decision using ERM versus a siloed approach.
The chart below represents a siloed approach to decision-making. In this case, an institution is faced with the risk of losing small business lending market share to unregulated nonbank competition. To combat the threat, the institution decides to offer unsecured small business loans funded within 24 hours. The competition is doing it. The bank wants to remain competitive. Decision made.
The institution made a decision, but it didn’t follow any sort of process. Someone had an idea and the institution ran with it. There’s no systematic discussion to thoroughly analyze the potential risk involved. There’s no thought as to whether all stakeholders have been consulted. Maybe compliance is invited in, maybe it isn’t. What about IT? Marketing? Other key departments? The opportunity to uncover risks (and opportunities) is lost by failing to include key areas.
Worse yet, once the decision is made and marching orders are passed on, this siloed approach is likely to produce redundancies. Let’s say the institution is outsourcing this new platform to a third-party vendor. That introduces third-party risk, which ties into cyber risk, reputation risk, compliance risk and even credit and financial risk. How will these risks be addressed? If each department attacks third-party risk individually, it will result in an inefficient duplication of resources and also introduce the potential for conflicting results. With different areas using different standards for assessing elements of third-party risk, there will likely be conflicting work that leads to complications.
While the chart in Figure I may look simple and ordered, in reality it’s ineffective and inefficient because there are no connections.
Now let’s look at strategic decision-making with ERM as pictured by the chart in Figure II. The ERM chart is a bit harder to follow. It’s more complicated. But it’s not creating complications, it’s uncovering them, revealing overlap and the need for communication.
FIGURE 2: Strategic Decision-Making with ERM
It may seem like a big effort, but using ERM will actually lead to less work.
Using an ERM approach to strategic decision-making means the institution knows exactly who needs to be in the room before a decision is made. It uncovers problems and conflicts early on, allowing them to be addressed from the beginning when a program has the most flexibility. It allows different areas to benefit from existing work and reach agreement. It leads to smarter decision-making – and that leads to less work for everyone.
But that only happens when ERM work is integrated into the strategic decision-making process. Rather than make a decision and then tell the CFO about it, it’s getting input when it’s still possible to make changes. ERM is about understanding that risk management can’t happen in a silo. By nature, risks are interrelated and uncovering them requires a systematic approach. Risk must be considered collaboratively from the very beginning to make informed decisions.
The status quo may seem acceptable, but managing risks individually instead of with ERM is likely to be wasting resources and creating messes that could have been prevented with foresight. When silos are eliminated, risk management results in better oversight, greater efficiency and lower costs. That’s why risk management needs to start at the top.
Disclaimer: The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of the Financial Managers Society.
About the Author
Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management solutions. He has an extensive background in legal and regulatory matters, and was involved in numerous regulatory, compliance and contract management challenges during the course of a legal career that included several general counsel posts.