Thanks to the perseverance of risk and compliance professionals and automation we have built silos where domain specific risks are managed in very granular detail. This data has unexploited strategic value.
The silos exist within all risk domains. We need to begin to connect the dots across the silos. There is no other way to grow as a profession.
Strong silos are a sign of a maturing profession. But professional growth requires the development of an overarching framework that creates actionable knowledge from siloed risk and compliance information.
Think of the development of financial statements driven by double entry accounting that forced the linkage of financial accounting silos to create financial statements. Reporting Accounts Payable balances alone is not useful. Its necessary to connect those balances to Inventory, Operating Expenses and Cash accounts to create knowledge and make decisions.
Unconnected risk and compliance reporting using risk registers, heat maps, lists of effective and ineffective controls, stacks of single-issue audit reports suggests we have not linked the silos.
We have great data in the risk and compliance silos. We need to get it linked to what the business cares about. Data in the risk and compliance silos must be categorized and linked to explain and anticipate business performance and how objectives will be achieved.
The Art of the Possible
Several years ago, a colleague of mine at SAP demonstrated how technology (SAP technology in this case) can be used to connect the dots across several silos of risk and compliance information and link the siloed results to business objectives.
Thanks to SAP this demo is publicly available on YouTube. Its about 8 minutes in length but well worth the time.
As you watch the demo, imagine the addition of key risk indicators, risk drivers, performance data, audit data providing assurance and root cause analysis.
Imagine also that the data would be updated instantly every time events such as loss incidents, control test failures, audit findings or any one of dozens of potentially triggering events occurred. Finally, imagine instant drill down capability to a very granular level.
Among other things business executives would then be able to instantly:
- Anticipate how external and internal risk drivers will impact objectives.
- Compare risk and compliance practices between different organizations and over time.
- Understand the root causes of failure and ineffective controls
- Drive down the cost of control by balancing risk appetite with control cost.
- Determine the most cost-effective control portfolios and risk responses for given objectives and risks. (See also my blog offering a Strategic Perspective on Risk and Compliance
- Allocate risk and compliance resources, including audit, to where they are most needed.
- Assess the performance of risk and compliance professionals. And their contribution to business performance.
What’s Blocking Progress?
Technology for connecting the dots exists today. The data that needs connecting is available. Risk and compliance professionals are competent and motivated. In my view the next step is getting the silos aligned to a common goal, but silos must remain independent and strong. In my experience, although risk and compliance professionals talk about adding value and contributing to performance, they are primarily aligned with their professional standard setters who give them accreditation. To meet their professional standards auditors are required to audit. risk professionals are required to identify and assess risks, control professionals are required to test controls, compliance people are focused on compliance, or obedience. None of the silos are judged by their contribution to business performance. The sum of all their work is unconnected data. That data only has value when its connected.
I have seen very little evidence of cross silo collaboration in my career. And that may be an overstatement. Alignment must come from the top. Its unlikely to appear spontaneously from the silos.
Customer reactions to the demo above were polarized. Executives and boards were extremely interested. Most risk and compliance professionals were often indifferent at best.
For those of you who want to connect the dots, my suggestion is to start at the top of the organization and create demand with a vision. Use the vision to align and mobilize.
A Recipe for Connecting the Dots
Consistent methodology is critical to connecting risk and compliance data. Here is an example that illustrates the need for consistency and structure.
My pharmacist usually recommends generic versions of my prescription medication. She claims the ingredients of the generic drugs are the same as the ingredients in the branded versions so why pay more? I pointed out the key ingredients in a fine souffle and the ingredients in burnt scrambled eggs are also very similar. The ingredients are important, but the recipe used, the skills and training of the chef, the cooking process and the equipment used are equally important. To consistently produce the same result and to scale it the process, a standard methodology must be used.
Tim Leech, a former partner and colleague and now the owner of Risk Oversight Solutions has used a version of this model for many years.
Every risk and compliance silo creates information that fits somewhere in this flow line. All the dots are here and the logical connections between them is apparent. In this case, all the information gathered is linked in some way to a business objective. Variations of this approach are possible and other approaches may work as well.
But by using a standard methodology, everyone understands what information is created who created it, and what it means. In order to integrate risk and compliance practitioners, like chefs, must all follow the same recipe.
A standard methodology provides a recipe for determining and linking all the different data produced by risk and compliance practitioners. Standardizing the data means it can come from any practitioner or “silo” and understood as part of the whole.
Adding the Ingredients
Most of the aggregation failures I have seen have been at the silo level. Invariably they have been cause by too much uncategorized granular data. We need to see the forests. Silos give us the trees. What data to link, and how much of it to gather is a stopic on its own. I’ll share my thoughts on the ingredients in a separate blog. But as with any recipe, you’ll need to be selective in the number and quantity of ingredients and you must adjust the flavor for the audience. Its an art in itelf.
In the words of Russell Ackoff
“The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.“