First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Silos are thriving even in ERM programs


You are the captain of a ship that is sailing from Singapore to Auckland with a cargo that needs to be kept cold and will lose its freshness if you don’t arrive within a few days of your schedule.

The navigator bounds onto the bridge, brandishing a sheaf of papers. “There’s stormy weather ahead, captain! I recommend changing course to bypass the cyclones that are forming. It will delay our arrival by 48 hours, but at least we will be safe.”

The engineer hears the shouting and tells you that any delay of more than a few hours will be a problem. “I canna keep the engines running and the refrigeration going at full power for two extra days. We will run out of fuel.”

At this, the second officer reminds you that any delay will cost the company a great deal of money. “If we don’t deliver the cargo on time, it will degrade and we will incur a huge performance penalty.”

The safety officer steps forward. “If we sail through these cyclones, we are exposing the crew to danger that is avoidable. It would be a violation of our safety procedures and protocol.”

You have to make a decision.

You have to understand the problem, consider the options, and then take the necessary actions.

In order to do that, you need to weigh all the possibilities together, not one at a time.

But that’s what addressing a variety of risks (or sources of risk) one at a time does. It fails to see and take action based on the big picture.

Traditional risk management, even when it is called enterprise risk management, simply puts together a list of risks. It doesn’t help you see how they, collectively, should affect your strategies and how you achieve them. It doesn’t help you weigh the pros and cons of each option.

Fortunately, Able Seaman Jones steps forward (after giving you a cup of coffee).

“Captain, sir! I’m taking an MBA course and have learned about some techniques, like Monte Carlo simulation, that will help you take all of these issues and give you an idea of the overall costs and benefits of the various options. With your permission, I can work with your officers and use the information each has developed to provide you with the information that should help you make the best decision for the company.”

World-class risk management (as described in my book of that name, updated by the discussions in Making Business Sense of Technology Risk) not only breaks down the silos but takes the information from individual areas such as Compliance, Safety, Sales, Marketing, Finance, Engineering, Supply Chain, and so on to compile and provide leaders with the big picture analyses they need.

Sadly, I keep seeing silos not only continuing but growing in number. For example, there is separate and isolated discussion of:

  • Cyber risk management
  • Safety risk management
  • Project risk management
  • Credit risk management
  • Operational risk management
  • Strategic risk management
  • Financial risk management
  • Third party risk management
  • Extended enterprise risk management (a new one to me, recently pushed by Deloitte)
  • Digital risk management
  • Supply chain risk management
  • And so on

Risk practitioners need to turn their attention to providing leaders and decision-managers at all levels with the information they need to make the informed and intelligent decisions necessary to achieve enterprise objectives.

Stop providing them with what you want to say about risk. Start providing them with the information they need to run the organization and achieve success.

A list of risks, or a heat map (no matter how pretty), simply doesn’t cut it.

If I was on the board or was CEO and was given a list of risks or a heat map, I would ask “what does this mean and how does it help me run the business,” send it back, and ask for something that will help me do my job!

Instead of talking about this risk management or that risk management, enterprise risk management or integrated risk management, let’s talk about effective management – how to achieve enterprise objectives. Manage success, not risk.

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.