Risks Hide in Organizational Silos

Organizational silos can be a challenge to effective risk oversight. For an example of this, look no further than the fake account-opening scandal that rocked Wells Fargo & Co. 

A 2017 independent report commissioned by the board of directors found that the megabank’s decentralized structure was a key contributing factor for “improper sales practices,” according to Wells Fargo. Each department had its own disparate risk oversight function, which paid too much deference to individual business units, ultimately hindering a corporate-level view into problems developing within the community banking unit.   

Wells Fargo may be a particularly outsized example of the problem, but it’s hardly the only bank to have issues with organizational silos, those barriers that naturally arise among business units or processes. Effective risk oversight means learning to overcome those barriers, which can impede effective communication among departments, create blind spots in risk management and hinder a broader overview of concentration risks the bank may have. 

“The board is arguably one of the only places that can theoretically see everything,” says Asaad Faquir, senior manager at Crowe LLP, in an interview. He also spoke on the subject Tuesday at Bank Director’s Bank Audit & Risk Conference in Chicago.

But the board may be challenged in seeing the bigger picture when it’s sifting through department level data and product level data. Management has a vested interest in giving the board a shortened version, not out of any ill intention but because it wants to be mindful of the board’s time. “There’s never that end point: here is how it fits together and makes us a functioning financial institution,” he says. 

The board’s view of risk can depend upon the framework the organization uses to manage risk. Some financial institutions have more silos than others; for example, in some, the chief credit officer may oversee credit risk, the chief compliance officer oversees compliance risk, and those officers may not have a great deal of transparency into other business units. Other organizations may have a chief risk officer who looks at risk across business units. 

An enterprise risk management framework can present a more holistic view of aggregate risk — and opportunities — across the organization, says Willie Maddox, chief risk officer at Atlantic Community Bancshares in Camp Hill, Pennsylvania, and chair of the subsidiary bank’s internal risk management committee. 

“It gives you an enhancement around institutional decision making. It creates a risk aware culture across the organization. It reduces operational surprises and losses. It also prepares the organization to act on acceptable opportunities,” says Maddox, who also serves as liaison to the board’s enterprise risk management and audit committees at the $896.3 million holding company for Atlantic Community Bankers Bank. 

Effective risk management oversight is just as much about capitalizing on opportunities to take appropriate risks as it is about minimizing risk. 

“Oftentimes, both people within a financial institution and board members feel that the only acceptable risk is no risk. That is just so far from the truth,” says Sue Harnett, a director at OFG Bancorp based in San Juan, Puerto Rico. 

Harnett, who has served on the board of the $11.2 billion company since 2019, undertook a certification program through the Directors and Chief Risk Officers Institute to round out her risk oversight skills, earning a qualified risk director designation. Bank Director also has a certification program specific for bank directors. 

“There’s compliance risk, environmental risk,” she says. There are “all types of different risks you have to look at and figure out how you can manage effectively. You can’t run a financial institution without taking calculated risks.” 

To overcome organizational silos, the board has to know how to identify them in the first place. Directors shouldn’t be afraid to challenge the data when something doesn’t feel wholly consistent, and “be curious and ask questions like a 5-year-old,” Faquir says. “The best way for the board to recognize that that is happening in the first place is to ask questions.”  

The board can actively listen to how the management team discusses risks and the strategies deployed to manage those risks, Maddox says. Directors should pay attention to inconsistent communication and messaging around risks and ask about those, she adds. 

Frequently, the board’s risk committee with have access to a dashboard that presents key risk indicators along with their status level and how closely they may need to be monitored. This can be a valuable tool, but it’s important that directors view it through a critical lens, Harnett says. 

“What has changed since the last time we saw it? Is there something in the environment that isn’t being considered?” she says. “One of the key roles of a board member is asking good questions.”

The board may also overcome the issues posed by organizational silos if it can cultivate an environment where executives and directors feel comfortable raising a dissenting voice, she adds. Bank Director’s Editor-at-Large Jack Milligan, one of the presenters for Bank Director’s Corporate Governance Workshop Monday, says it is vital that boards have independent directors who can provide credible challenge to management. 

Ultimately, it’s not the board’s job to tear out organizational silos, but to make sense of the information it receives and encourage that to be shared freely across the firm.  

Understand that to some degree, silos are inevitable and exist for a reason, Faquir says. Size and organizational complexity may contribute to silos, but the predisposition is usually already there. Silos might also come into being as a function of personality type, when an executive who controls a process or product rises through the ranks.

“There is no single root cause, truly,” he says. “At the end of the day, silos are people problems, but they’re not because of problem people.”