Breaking Down Silos – Using Common Criteria to Assess and Prioritize Risks

Avalution Team Avalution Team | May 09, 2017

Breaking Down SilosAn isolated approach to business continuity (and risk management in general) is holding many organizations back.

Business Continuity is one of many disciplines that helps organizations to become more resilient – that is, to increase an organization’s capacity to adapt to evolving circumstances and survive (or even thrive) during periods of disruption or change.  Other related disciplines – such as Information Security, IT Disaster Recovery, Emergency Management, Enterprise Risk Management, and Physical Security –ultimately have the same strategic purpose.  The goals and objectives of the individual disciplines may be more focused, but if we, as practitioners of these disciplines, force ourselves to look outside the artificial walls we sometimes build around our responsibilities, we should find that we are striving for something bigger than we can deliver on our own.

In reality, individual disciplines own a specific risk (or set of risks) and have responsibility for mitigating those risks to an acceptable level.  However, together, we have the responsibility to ensure our organizations survive, regardless of circumstances.

If we take this statement as truth and acknowledge that we have a collective responsibility as risk-based practitioners to the organizations we support, there is a natural question that follows: How do organizations break down traditional barriers to collaborate more effectively across risk-based disciplines?  This perspective focuses on eliminating one of the main factors that creates and enables these barriers – addressing risks in a silo.

At many organizations, there are a number of risk assessments (or threat assessments, or vulnerability assessments, etc.) underway at any given time.  It’s true that an Information Security-focused risk assessment has a unique purpose when compared to a Business Continuity or Physical Security risk assessment (although there are opportunities to collaborate here as well, I’ll cover that topic another day), but the actual outcomes from each risk assessment are not all that unique.  This is because the basic output of any risk assessment is an understanding of how vulnerabilities, if realized, would impact an organization’s ability to operate effectively.  A good risk assessment, of course, also takes into account the likelihood of a vulnerability being realized.

Unfortunately, post risk assessment is the point where many organizations struggle to capitalize on the wealth on information available from each discipline.  Because of organizational barriers or other factors, practitioners tend to prioritize and address risks independently, relying on their respective sponsors or governance committees to make decisions on risk acceptance, mitigation, and prioritization.  In addition to potentially duplicating efforts (sometimes different disciplines identify nearly identical risks), this approach prevents organizations from getting a complete view of the risks they face.

A much more effective approach that facilitates the kind of collaboration needed to advance an organization’s resiliency goals is eliminating dispersed committees and establishing an organization-wide process for analyzing and prioritizing risks that align to the organization’s strategic priorities.  This approach also ensures that risks from certain disciplines are not deprioritized simply because of organizational constraints or other factors such as budget constraints in a certain area.  Eliminating these barriers helps ensure that all risks are evaluated consistently and helps avoid missing serious vulnerabilities.

Organizations that understand the criticality of viewing all risks (not just a sub-set of them in a silo) are looking to new roles, like the Chief Risk Officer, to better integrate risk-based disciplines under a common risk framework to help ensure that practitioners are using common principles and important risks are not overlooked due to organizational barriers.

At Avalution, we recognize the value in bringing these disciplines together and realize that this trend is going to become standard.  As this article argues, one of the key activities where we see the potential for much better collaboration is in the risk assessment process because there is immense value to be gained by ensuring risks are prioritized by the right people, using the right criteria.  In addition, collaborating effectively reduces the burden on the business (especially in terms of the time required to participate in risk assessments), which also helps generate buy-in and make risk management efforts more effective.

If your organization is struggling to break down these silos, connect with us to explore possible solutions.


Dustin Mackie
Avalution Consulting: Business Continuity Consulting