Companies today must manage an increasingly complex array of risks, including cybersecurity threats, the impact of geopolitical tensions and major weather events on supply chains, and economic volatility — among others. Many businesses are challenged to marshal sufficient resources, personnel, and advanced technology to fully understand potential threats. But few recognize that their efforts are also hindered by the silos within their risk management functions that leave their teams with visibility into only select pieces of the overall threat matrix.

Lack of collaboration among risk management teams is pervasive across industries. More than 86% of audit and risk professionals believe that data silos affect their team’s ability to manage risk effectively, according to new data from AuditBoard. When teams and data are disconnected, efforts are duplicated and gaps in risk coverage open up. There is limited communication between governance, risk, and compliance teams, even though they share a common mission of safeguarding the future of the business. What is needed instead is a holistic, connected risk approach in which collaboration and data sharing are ingrained in the culture, and disparate teams work together to solve problems and meet the shared goal of mitigating risk.

How Risk Management Efforts Become Fragmented

Good risk management isn’t a monolithic function. The Institute of Internal Auditors advises companies to have three lines of defense. Operational management oversees risk mitigation involving business processes; risk and compliance functions set policies and monitor risk controls used by operational management; and internal audit monitors the effectiveness of the first two lines of defense by systematically evaluating and verifying that risks are adequately managed in a way that is aligned with the company’s objectives.

Silos arise in part because, historically, risk and assurance professionals have preferred to operate independently. To some degree, this is because they value ownership and recognition of their individual outputs, but they also want to maintain independence and objectivity. And like many other professionals, those working in risk and assurance often cling to outdated practices because they are more comfortable with familiar ways of doing things.