Break Down Silos for Visibility Into Enterprise Risk

Companies today must manage an increasingly complex array of risks, including cybersecurity threats, the impact of geopolitical tensions and major weather events on supply chains, and economic volatility — among others. Many businesses are challenged to marshal sufficient resources, personnel, and advanced technology to fully understand potential threats. But few recognize that their efforts are also hindered by the silos within their risk management functions that leave their teams with visibility into only select pieces of the overall threat matrix.

Lack of collaboration among risk management teams is pervasive across industries. More than 86% of audit and risk professionals believe that data silos affect their team’s ability to manage risk effectively, according to new data from AuditBoard. When teams and data are disconnected, efforts are duplicated and gaps in risk coverage open up. There is limited communication between governance, risk, and compliance teams, even though they share a common mission of safeguarding the future of the business. What is needed instead is a holistic, connected risk approach in which collaboration and data sharing are ingrained in the culture, and disparate teams work together to solve problems and meet the shared goal of mitigating risk.

How Risk Management Efforts Become Fragmented

Good risk management isn’t a monolithic function. The Institute of Internal Auditors advises companies to have three lines of defense. Operational management oversees risk mitigation involving business processes; risk and compliance functions set policies and monitor risk controls used by operational management; and internal audit monitors the effectiveness of the first two lines of defense by systematically evaluating and verifying that risks are adequately managed in a way that is aligned with the company’s objectives.

Silos arise in part because, historically, risk and assurance professionals have preferred to operate independently. To some degree, this is because they value ownership and recognition of their individual outputs, but they also want to maintain independence and objectivity. And like many other professionals, those working in risk and assurance often cling to outdated practices because they are more comfortable with familiar ways of doing things. Within the audit profession, this reluctance to change is particularly strong.

Overreliance on highly specialized technologies further isolates the silos across the audit, compliance, and risk management teams. As teams’ scopes and mandates have expanded over the years, many have adopted customized technology solutions that are useful only to specific teams and tasks. This limits cross-functional collaboration, data sharing, and integration with other tools. The outcome is a fragmented technology ecosystem from which it is difficult to assemble a comprehensive view of the risks an organization faces.

The culture of siloed risk management is long established and won’t change overnight. Creating an environment in which the key players can work together while acknowledging their unique, specialized skills and experience requires support from company leadership. As a longtime internal auditor, I understand that the concept of collaboration can create anxiety. That sense of unease is why it’s important to help stakeholders understand why the change is needed and how they can play an important role in it. Here are three recommendations to get started.

1. Map risk assurance across the organization. Businesses can’t adequately manage risks across the organization if they aren’t aware of them. A best practice is to create an assurance map, which documents assurance teams and their efforts, maps those efforts to key risks, and rates the level of risk coverage provided by each team. This consolidated view of the company’s full risk management portfolio gives both leadership and each of the assurance teams a big-picture perspective. It provides them with clarity about accountability that facilitates collaboration and helps them identify data silos.

Typically, a risk management or audit leader will initiate the assurance-mapping process. For example, an executive responsible for audit might start by creating an inventory of key risks to the business and then map the activities that are in the company’s audit plan to the key risks to set a baseline for risk coverage that other teams can follow. Once the map is complete, the audit team can review the assurance work done by all of the assurance teams and validate the adequacy of the work.

Darden Restaurants, which operates more than 2,000 restaurants in North America, has adopted a structured risk and control matrix to make sure its assurance teams are all speaking the same risk language. Internal audit vice president Scott St. John has indicated that the map is just a starting point to get to greater cross-functional activity. For instance, internal auditors sometimes are present for compliance teams’ periodic business reviews, risk committee discussions, and the information security team’s incident response tabletop exercises. This gives internal auditors better insight into risks associated with business initiatives and enables discussions around opportunities for additional controls.

Assurance mapping is a best practice for improving risk management, but many companies aren’t doing it. Nearly half (47%) of businesses lack a formalized way to document the activities related to key risks, according to a June 2024 flash poll of 1,573 internal audit professionals that AuditBoard conducted. Lack of visibility into assurance activities can lead to gaps in risk coverage and duplication of efforts, which weaken risk mitigation efforts and waste resources, respectively. There are a number of resources that can help companies adopt an assurance-mapping approach that will suit their needs, such as guidance from the Institute of Internal Auditors.

2. Nurture functional synergies. Bringing different teams together for cross-functional collaboration whenever possible is another approach that can help break down silos. Where there’s existing crossover between teams, identify and nurture additional opportunities. Here are a few examples of the kinds of crossover activities that can break down data and cultural barriers:

• Information security and compliance can share a library of security controls, control assessments, and test results to drive efficiency; prioritize actions based on shared assets; and conduct risk assessments and quantify risk based on historical incident data.
• Compliance and risk management can exchange information on issues or risks they are monitoring to enable a more risk-aware culture and improve visibility, better understand issue impact, and provide unified, inventory-level visibility for stakeholders.
• Risk management and internal audit can link audit plans and risk assessments; share risk registers, which are resources used to identify, analyze, and mitigate risks; and partner on monitoring strategic risks. With this shared understanding and insight, they can align on board and management communications and reporting, and cross-leverage staff and overall expertise.

At Carrier, a multinational provider of heating and air-conditioning, transportation refrigeration, and other products and services, top executives and the board pushed for the company to adopt a connected risk management approach to ensure that the greatest risks are being managed appropriately and consistently across the organization. Jake Birmingham, vice president of audit, works closely with the security operations center (SOC) and the enterprise risk management (ERM) functions. He maps his audit and risk plans to the ERM risk structure, and the two functions align on the top 10 compliance and top 10 business risks. Every year, he updates the audit committee and the CFO on how well the audit, ERM, and SOC groups are aligned on identifying the top risks and communicating with one another. Recently, his company moved to a new SOC platform and now has one platform for SOC, ERM, operational audits, and fraud risk assessment, with all of the relevant data accessible in one place through dashboards for analytics and other purposes.

Another company following connected risk best practices for improved risk mitigation is HubSpot, a provider of customer relationship management software. HubSpot has found that risk teams can spend more time surfacing risks, increasing front-line ownership of them, and improving team efficiency by unifying risk terminology, sharing workflows, and combining reporting. Miryam Ormond, head of internal audit, sees getting teams to align on key risk indicators as a good starting point for a connected risk strategy. This ensures that the organization can effectively measure and manage risks and provide a clear picture of the risk landscape and the effectiveness of risk control measures.

3. Replace siloed legacy technology. Technology can be an enabler or an impediment. As described above, overreliance on outdated, highly specialized technologies is creating roadblocks to the communication and collaboration necessary for connected risk activities. Just 39% of internal audit teams are sharing technologies with other governance, risk, and compliance teams, a separate AuditBoard study found.

At MDA Space, an international aerospace company, information used to be shared manually across assurance groups via spreadsheets, emails, and shared folders, according to Scott Page, director of internal audit. Moving to a cloud-based connected risk platform enabled sharing of risk and control data across the company. The audit team is working more efficiently and is able to collect information once and reuse it repeatedly, as well as gain deeper insight into risks facing the business.

Updated technology that enables a connected risk approach must have three elements:

1. A connected ecosystem that links the content and activities of audit, risk, compliance, and information security programs, including data, analytics, controls, frameworks, and workflows.
2. A unified data core that serves as a single source of truth for the risks, controls, issues, policies, and other risk-related information, upon which teams can build and govern a single risk language. This is foundational for taking full advantage of AI-powered analytics and insights.
3. Core task automation and AI integration, which will help minimize the administrative burden for risk teams faced with performing repetitive tasks that take up a lot of staff time. Automated solutions should easily integrate with day-to-day workflows, such as collecting and reusing data and evidence, testing, writing risk statements, generating reports, and monitoring risk.

---

Inadequate risk management can lead to existential threats for companies. Making the changes suggested above can improve the practice, give leaders greater visibility into areas of potential vulnerability, and help leaders better prepare to move decisively when risks materialize into impactful events.