What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto


Sunday, April 29, 2012

Breaking down the silo

I often hear from risk analysts that we need to break down the risk silo and stop measuring risk in unique disciplines but such a statement without thinking begs the question: If the silo is so evil, why did we invent the structure in the first place?

In this quick posting we look at risk silos, why they exist, the problems with them and how to make them work.

What is a risk silo?
In many large institutions, especially so in banks it seems; risk is measured in silos.

That is, there are specific departments which are responsible for capturing potential exposure of only one type. This is achieved by creating homogeneous definitions of scope and setting up management boundaries by tightening policy about what each silo is supposed to manage. 

Businesses seem to go through this definition phase at some stage in their risk framework evolution so that a single risk team can understand what it is supposed to do. More importantly, this team can be held accountable for the control of a specific hazard, they can be monitored, tracked, reported on and audited. This all seems logical doesn't it?

This delineation or categorization of management responsibility in general, is a natural development of any large institution and without it a business would become a jumbled mess of activities without any accountability.

So given all of this, we can expect to see many specialised departments in a bank that only cover a unique risk function such as compliance or audit or performance management and so on.

One point worth noting is that small banks don't start out this way but they certainly end up looking like this as they grow.

In the risk function alone, there are usually sub departments such as compliance, audit, credit origination, credit portfolio analytics, treasury, funding, regulatory reporting, oh gosh, in fact; the list of risk departments can be quite numerous moving towards the hundreds!  
Not so long ago I remember chatting with a senior risk officer in a financial institution who said to me: "This bank has designated more than 28% of all employees to be funded out of the risk budget. To put some weight on that statement, 28% of staff for this organisation equates to about 13,000 people under the dear guidance of risk. 
That is 13,000 people out of a total pool of 45,000 employees.
In another organisation I came across a department listed under the title "Risk Simplification". Scary isn't this and that sounds like room 101 for risk people but on questioning the manager about this specific unit of risk, he said to me: "This bank has become too 'risk complex' so we have decided to open up another risk department to simplify risk management."
 
Figure 1 | Risk Silos in a bank, purple areas have dual ownership (click to enlarge)
  
The regulators don't help the situation either.

The Basel II document for global banking regulation is separated into unique chapters and even volumes that specifically address on only one area of risk at a time. The importance of integrating output from different risk units is often missed entirely by Chief Risk Officers and is one of the causes for the failure of risk management in banks. This is partly because many regulations only connect the integration layer for their guidance in an addendum to the core publication. We know from the Basel II document; pillar I, pillar II, pillar III kind of mentality has created a lot of downsides and silo's is potentially one of them.

Whether we like this or not, the silo construct is probably here to stay. 

The reason for this is that unique areas of control have exclusive comprehension, philosophy and vision. Credit risk for example has little to do with employee diversity; the measurement processes, terms of engagement and controls between these risk activities differ wildly and cannot be merged. If you run a credit risk department and worried about resource management, you would probably not have the time to chase accounts receivables. 

So what do we do to shut down the risk silo?

The problems with a risk silo
Before we attempt to fix the risk silo, let's take a look at two of the key failures that are born from its existence. There are more problems I am sure, but let's just describe two of them.

[1] Most obviously, when you try to fit a lot of different things into a single sized box, you will find that some objects stick out the sides of the box. The same goes with risk. There are generalized problems which don't belong to one department or another and consequently aren't managed properly by either. Wrong way risk for example has been overlooked by many banks because it was deemed a market risk problem but actually was best managed by the credit risk unit.

[2] Then there are risks which are caused by one functional area but are managed by another and these two teams fail to communicate. From measurement we know that there is a correlation between credit default on one hand and fraud in operational risk on the other.

Why is that?

Well in short, the same type of controls are used by both the credit and operational risk groups. 

Who in the end pays for this control, you know budgets are tightly contested between departments in most cases. Worse, such dual ownership of controls may result in finger pointing arguments when risks are actually born, especially if a loss occurs.

Efficiency, data sharing, cost reduction and many other motives also exist for breaking down the silo. Yet, if we break down the silo, we end up with that jumbled mess of risk activities with no ownership we described above and more worryingly, we lose the acumen and tacit knowledge each risk discipline has built up for a coherent operation.

What can we do? 

Fixing the silo dilemma
In reality, we don't break down the silos. What we need to do is converge the risk functions in a similar manner to our "risk simplification" operation we quoted earlier. Yes, it looks like one way to resolve the silo is to create another risk unit, a risk unit such as the Risk Aggregation Team or the RAT if you like.

Does this sound like I have lost my mind? Well, let's turn this into a schematic to make it more workable.

Figure 2 | The Evolution of Risk Management and the silo (Click to enlarge)

Most risk functions in firms have a modus operandi trapped in the level 1 or level 2 zone. Both have their problems as we know and sadly we believe we can fix these issues by specialisation from a level 1 to a level 2 setting. However when we do this, we open up the door for hidden risk factors to appear which go undetected.

There are arguments that we should kill the silo then and move back to a level 1 kind of operation but then such tinkering seems to miss the point why we tried to evolve into a silo in the first place.

It is definitely insanity to switch back and forth between level 1 or level 2 but we can see this L1 / L2 madness when we ask people what went wrong at a human level in banks that failed during the credit crisis?

Comments such as the following are not uncommon:
Banks risk models were too complex, banks risk systems lacked oversight, banks risk systems were too simple and missed the finer indicators of threat, banks risks systems had skewed payouts for reward and risk taking, banks risk units confused shareholders with incorrect information ...  
These are just some of the comments I have heard from different people on this subject. So in effect, we are too complex but not complex enough. How do we fix a disorder where the medicine is as bad as the illness?

In short, we need to move to a level 3 or a level 4 kind of operation. Risk management needs to evolve further, not regress back and we need to converge the silos but I don't know of many institutions or Chief Risk Officers who have been successful at doing this.

6 comments:

  1. Martin,

    So if I hear you correctly, you suggest that to break down a risk silo we need to launch another risk team?

    ReplyDelete
    Replies
    1. Yes that is correct.

      A team that specialises in nothing more than integrating the efforts of the other numerous risk functions throughout the organisation.

      The main downside with this approach is that removing the risk silos by adding another unit is going to increase the total cost of risk management for the organisation. Most people on the other hand believe that removing risk silos reduces the cost but then that is level 1 kind of thinking.

      Now some people would also say but surely the group risk function should be doing this integration / convergence kind work anyway.

      If you are of that belief, as am I, then we should ask ourselves where in the group risk function does convergence occur?

      There are too many organisations which don’t consolidate the output of their various risk teams and that requires going down the organisation but from the bottom up.

      Delete
  2. Martin, it seems trying to isolate risk in this manner ignores the important point you made: some things stick outside the box. In the study of organizational risk, it occurs to me that risk is most likely to turn into incident at the "weak links," those times when responsibility or process passes from one department to another (or from one subsidiary, sub-contractor, or person to another). So if this is true, then the isolated risk silo will not be effective in organization-wide risk management, true? Consider for example the big issue of supply chain risk management -- how can we silo that? It also occurs to me that by adding another unit only increases the outlets for risk to manifest. -- Michael

    ReplyDelete
    Replies
    1. Michael,

      Thanks for your comment and I really like your website on options by the way. I will have to ponder through the various pages in more detail and also steer some of my customers to your book as I believe they will appreciate it as well.

      Staying with this post and your comment directly, well yes you are right: "How can we silo risk control in a supply chain management system, not so easy". Why would we silo such a thing begs a different question; management apprehension or insecurity sold as oversight.

      I am actually not for the risk management silo however I see so many organisations that end up managing risk in a silo. As we both can see "things stick outside the box" under such constructs.

      These blogs are written pretty quickly and play with ideas. The abstraction I am molding here is fixing the silo by creating cohesion among the silos. This is apposed to trying to destroy the silos as a solution to the problem. A risk unit with the charter of finding those areas of an organisation which fall outside the box and then creating solutions for them is the real crux of the argument I am presenting.

      Will adding another department fix the problem, properly not when the academic concept is applied from the pure sense to a real life situation.

      The credit crisis in my opinion was an event waiting to happen, the markets were pricing it so and for a long time. The contagion which took out banks however, was an easy roll down because there were so many holes within these financial institutions enterprise risk systems ~ Credit downgrades, translated to asset cutting, haircut increases and position exits, which then resulted into funding problems that fed back into the loop.

      No single department seemed to have a complete oversight of all of this and thus much of the outcome could be blamed on silo mentality.

      This is the problem I am trying to resolve.

      Delete
  3. This is an interesting blog and this post is too. I agree with you that silos cause a lot of problems and I like your idea of opening up a "convergence function" as you put it. This should solve many of the issues you list but I don't think businesses are going to go for it because it is expensive.

    Here is a suggestion. Why don't you set up a committee which has a representative from each risk function on the committee and that committee resolves the risk silo problems. They can debate what needs to be done to ensure full risk coverage is achieved.

    That's my opinion.

    ReplyDelete
  4. This article is a very fine thing indeed - my congratulations

    Bruce Lee :
    Before I studied the art, a punch to me was just like a punch, a kick just like a kick. After I learned the art, a punch was no longer a punch, a kick no longer a kick. Now that I've understood the art, a punch is just like a punch, a kick just like a kick. The height of cultivation is really nothing special. It is merely simplicity;

    Now to me; Level 4 looks very much like Level 1, but with an improved understanding. It is only simple when it is understood.

    Tim James

    ReplyDelete