If your company uses an organizational chart it was most likely designed based on the factory model created by Fredrick Taylor who introduced "Scientific Management" in 1911. The foundation of his approach was the scientific method which has been very successful to help understand how things worked by understanding the individual parts.
Reductive approaches while instrumental in many fields of study is not without its limitations. The first and foremost is that it is not always possible to understand the function of the whole by knowing the function of each part.
This limitation can have significant consequences with how organizations handle risk as a whole or as a part.
Taylorism and Its Effects
Taylor used reductionism to organize how businesses are structured and remains to this day the primary method for designing organizations although this is changing (see article in The Atlantic https://www.theatlantic.com/magazine/archive/2019/07/future-of-work-expertise-navy/590647/).
One of Taylor's aims was to achieve maximum job fragmentation to minimize skill requirements and job learning time. The workers he would hire would not have many skills, if any, so this made sense. Taylor also introduced us to time and motion studies that would eventually lead to the assembly line refined later by Henry Ford. The reason why we have departments, silos and disparate processes is largely because of Taylor and the specialization of skills.
You could say that the focus of many business transformations over the years were attempt to address the side effects of Taylorism while maintaining its benefits. Manifestations of this included a growing movement towards generalization of skills through the sharing of knowledge, use of teams, and expansion of communication networks.
Addressing Risk
Taylorism is still predominate and its effects impacts how management is structured and in turn how companies contend with uncertainty and risk.
An important problem with a reductive approach is that risk consideration is done by looking only at the parts that make up a business and not the entire organization. Systemic risk is seldom considered.
This can be seen by the way risk registers are constructed often by starting at the bottom of an organization and aggregated upwards until they form a single heat map or risk score. Aggregating risk scores and using heat maps to provide a holistic view of risk has some value. However, these are remnants of a reductionist approach and are limited in identifying and contending with uncertainty that crosses departments, functions, and processes.
Trying to understand risk by assessing the risk of individual parts is very much like trying to understand the risks of driving to work by understanding the risks associated with the steering wheel, gaskets, hoses, engine block and other components. You can add them up, put them in a heat map, or prioritize them by a risk score, but they will never tell you what you need to know, "will I get to work on time?"
This bottom-up approach often leads to companies playing “whack a mole” hitting the gopher on the head when it pops ups without understanding why it does and preventing it in the first place. This is treating the symptom and not the disease which unfortunately is the way that many companies contend with risk. It is only when a significant event has occurred that correction or prevention is considered.
Although common this approach has limited utility when lives are lost, reputation is at stake, and future earnings are at risk. As we are becoming more aware of risks that have the largest impact are systemic in nature and no amount of mole whacking will be enough to keep its effects of uncertainty at bay.
Enterprise Risk Management
As a means to contend with the limits of a bottom up approach to risk many companies introduce Enterprise Risk Management (ERM) to help address the larger picture but end up with using an approach called "Holism."
This is better than reductionism but not the best approach to address systemic risk. Holism is the opposite of reductionism and suffers from the similar limitations. Instead of looking only at the parts it only looks at the top (or the boundaries) which tends to lead to ERM implementations that focus mostly on extrinsic or external risk; things which affect the organization as a whole such as: exchange rates, disruptive technologies, competitors, regulation and so on.
Risk consideration that focuses only at the bottom or the top of an organization creates the opportunity for systemic risk to manifest itself.
Operational Risk Management
To properly address systemic risk an "integrative" or systems approach is needed. An integrative approach looks to address risk throughout an organization.
This is the domain of Operational Risk Management (ORM) which when implemented effectively focuses on intrinsic risk that impact internal programs, systems, and processes and its effects on achieving outcomes. One way to look at this is that ORM focuses on risk streams (i.e. the propagation of the effects of uncertainty) instead of the risk of failure of individual parts.
Effective operational risk management requires knowledge of systems. This includes value streams but also the interactions between them and the value chain which provide the capabilities, capacities, and competencies to perform them.
ORM will utilize tools such as Hazard and Operability Analysis (HAZOP), Dependancy Structure Analysis, Value and Risk Stream Analysis, Value and Critical Chain Analysis, and others.