A conversation with Michael Gallagher, managing director of CBIZ Risk & Advisory Services
Not all organizations are good at managing risk in a holistic way. It's easy for business units or functions that address risks to be guarded about their risk-management efforts or to reproduce what other parts of the company are already doing. These risk silos can cause problems for companies, not only because they duplicate risk-management efforts, but because key strategic risks can go unaddressed or siloed thinking may be preventing the company from meeting its goals.
We recently caught up with Michael Gallagher, managing director at CBIZ Risk & Advisory Services, to talk about how these risk silos can crop up at companies, the dangers they present, and how organizations can dismantle them and manage risk in a more holistic way.
"Companies are required to manage risk throughout the organization, by process and by sub-organization. The silos occur when that process isn't coordinated across the company," said Gallagher. "So each individual, officer, leader, department, or location decides on their own way to manage risk and their own priorities, and they may or may not be linked to anything related to the company's strategic objectives. And that is a problem."
According to Gallagher, there are some red flags to look for that could be indicators of an environment where risk silos are likely to occur. "Some of the signals are policies and procedures in organizations that differ greatly by location, process, leader, or executive," he said. "Anytime you see schedules of authorization, levels of authorities, anything that is trying to determine approvals and authorizations and ways to talk about and quantify risk that aren't tied the company's strategic objectives are clear indicators of silos in the organization."
Gallagher says reversing course and dismantling risk silos is never easy, but there are some steps that can head them in the right direction, including the adoption of some form of enterprise risk management. "The number one benefit of enterprise risk management is to break down those silos," he said. "If the company can train itself on those methodologies and learn to talk about and manage risk using the same language, the same quantifications, and the same indicators across the entire organization—and if those ERM processes and policies are tied to the company's strategic objectives—you then have a leadership group and a level of management that is all pulling or pushing in the same direction."