top of page
  • Rory Roberts

How does your company categorise Risk?

What is a risk taxonomy

A Risk Taxonomy is the (typically hierarchical) categorization of risk types. A common approach is to adopt a tree structure, whereby risks higher in the hierarchy are decomposed into more specific (granular) manifestations.

Constructing a risk taxonomy follows the practice and science of general taxonomies, classifying things or concepts, including the principles that underlie such classifications. The outcome is a classification scheme, a formal list of concepts (Risk Types), denoted by controlled words (labels), generally arranged in tree form, from abstract to specific. The concepts are related by subtype - supertype relations

A risk taxonomy is defined always from the viewpoint of a concrete agent (e.g representing the management of an organization) that aims to manage risks (the effect of uncertainty on the organizational objectives). Other stakeholders to an organization will have related by not necessarily identical classification of organizational risks (defined in relation to their own objectives). The organizational structure and the objectives of the agent engaging in risk management determine the scope and content of the taxonomy

While various attributes may characterise a good (useful) risk taxonomy as outlined below, there is no unique taxonomy for a given domain as the aspects chosen to classify risks can be drawn for a very large set.


Risk taxonomy is a framework used to categorize and classify risks according to specific characteristics. A risk taxonomy for a risk identification process in a bank might include the following categories:


Financial risks: These include risks related to the bank's financial performance, such as credit risk, market risk, and liquidity risk.

1. Credit risk: This is the risk that a borrower will default on a loan or other debt obligation.

2. Market risk: This is the risk that the value of a financial asset or portfolio will decline due to changes in market conditions, such as interest rates or exchange rates.

3. Liquidity risk: This is the risk that a bank or financial institution will not have sufficient liquidity to meet its financial obligations.

4. Interest rate risk: This is the risk that changes in interest rates will affect the value of a financial asset or portfolio.

5. Foreign exchange risk: This is the risk that changes in exchange rates will affect the value of a financial asset or portfolio.

6. Inflation risk: This is the risk that the purchasing power of a financial asset or portfolio will decline due to inflation.

7. Volatility risk: This is the risk that the value of a financial asset or portfolio will fluctuate significantly over time.

8. Liquidation risk: This is the risk that a financial asset or portfolio will be difficult to sell or dispose of at a reasonable price.

9. Event risk: This is the risk that an unexpected event, such as a natural disaster or a terrorist attack, will affect the value of a financial asset or portfolio.

10. Concentration risk: This is the risk that a financial asset or portfolio is overly concentrated in a particular sector, industry, or region, making it more vulnerable to market fluctuations.


Operational risks: These include risks related to the bank's internal processes and systems, such as IT failures, human error, and fraud.


Strategic risks: These include risks related to the bank's business strategy, such as the risk of entering into new markets or the risk of technological disruption.


Reputation risks: These include risks related to the bank's reputation, such as the risk of negative media coverage or the risk of losing customers due to poor service.


Compliance risks: These include risks related to the bank's compliance with laws, regulations, and ethical standards, such as the risk of non-compliance with anti-money laundering laws.


Legal risks: These include risks related to legal disputes, such as the risk of being sued for breach of contract or for discrimination.


Environmental and social risks: These include risks related to the bank's impact on the environment and society, such as the risk of contributing to climate change or the risk of contributing to social inequality.


Political risks: These include risks related to political events or changes, such as the risk of changes in government policies or the risk of instability in a country where the bank operates.


Human resources risks: These include risks related to the bank's human resources, such as the risk of losing key employees or the risk of hiring employees who do not have the necessary skills or qualifications.


Physical risks: These include risks related to physical assets, such as the risk of natural disasters or the risk of theft.


Fraud risks: These include risks related to fraudulent activity, such as the risk of identity theft or the risk of insider trading.


Cybersecurity risks: These include risks related to cyber attacks and data breaches, such as the risk of unauthorized access to the bank's systems or the risk of data theft.


Supply chain risks: These include risks related to the bank's supply chain, such as the risk of supplier failure or the risk of disruptions in the supply of goods or services.


Political risks: These include risks related to political events or changes, such as the risk of changes in government policies or the risk of instability in a country where the bank operates.


Systemic risks: These include risks that affect the entire financial system or economy, such as the risk of a global recession or the risk of a financial crisis.

Structure

- The root node of the taxonomy denotes the aggregation of all types of relevant (in-scope) risks to the organization

- The child nodes (leaves of the tree) are more specific manifestations of Risk Type. Child nodes can be thought of as the range of values of a Categorical Variable

- There is a flexible number of taxonomy levels, which need not be the same across the taxonomy

- The arrangement of nodes at any given level is not pre-ordained and can be a tree or a matrix



Requirements

- Comprehensive Coverage: At any level of the hierarchy

- the totality of risk types aggregate to the super-type and

- any risk within the super-type belongs to one of the subtypes

- Granularity: The taxonomy has sufficient granularity to distinguish risk types that have their own unique attributes

- Definitional Clarity: To prevent overlap, at any level of the hierarchy, a risk belongs to one and only one risk type

- Stability over Time: Risks can be assigned to appropriate risk types in a consistent way over longer time horizons


Usage

A risk taxonomy enters in Risk Management activity as a tool to help with a variety of tasks:

- Establish the degree of completeness in the coverage of risks (informing the organizational Risk Framework)

- Help risk managers with Risk Identification by providing an analytic framework

- Support lower level implementations such as Internal Controls or Risk Tools used in Quantitative Risk Management

- Enable more effective Risk Aggregation

- Identify potential linkages between the risks factors behind different risk type categories


Risk Taxonomies in Financial Services

There is no over-arching risk taxonomy that applies consistently to the entire financial services industry (let alone to the risk management of non-financial businesses). A high-level segmentation into the following categories has been common practice for several decades[1]

- Legal and Regulatory Risk

- Human Factor Risk


Why does your company need a risk taxonomy

A risk Taxonomy is a means of categorising your company’s risks, it must not be confused with the actual risks themselves, although sometimes these distinctions may not be so clear. A taxonomy can be used to check for the comprehensiveness of your risk identification. Your companies Taxonomy may have unique aspects to it depending on the risk exposures of your company.

A risk taxonomy can be thought of as a bookshelf into which you categorize and store your risks, this allows you to systematically update the risks periodically.

Reasons to Have a Company Taxonomy

1. It helps your company identify the areas of risk exposure within the company, these should be constant so will only need to be update annually, with less work required to review and update than to build from scratch.

2. It helps to organise risks, the primary mode should be the organisation of the risks categories themselves, however if it is useful within your company, an org structure can be underlaid to the Taxonomy to allow for the splitting up of the risk register amongst key stakeholders in your organisation for them to update.

3. If a new Risk materialises that was not captured by the Taxonomy the Taxonomy can be updated, the Taxonomy can act as a way to focus risk identification into the area of most exposure. Senior management may want to emphasise particular parts of the Taxonomy where they are most concerned about risks arising.

4. Your Taxonomy binds your Risk register together, and allows users to find risks within the organisation, and how they are mitigated.

What is a risk register

The Risk Register can be considered to be the library of risks, the most important characteristics of the Risk Register are the following:

1. A Risk Register has a written description of each risk that is catalogued, the written description must contain the following:

a. The Source of the Risk

b. The Trigger for the Risk should be Stated

c. The likelihood of the Risk should be stated.

d. The potential Impact of the Risk in its worst manifestation should be estimated.


What is a Material risk register

The list of Material risks is subset of the overall Risk Register, the material risks are defined as those that have the most severity, meaning the impact and likelihood arising from these risks passes a minimum threshold as set by your company. These risks are the risks that will be brought to the attention of senior management in order to be mitigated, and will be monitored closely for changes to their risk profile. These Risks are the list of risk that will be transformed from inherent risks to residual risks.


Building out your company’s risk taxonomy

1. Type of risk: The type of risk, such as strategic, operational, compliance, financial, or reputational risk.

2. Source of risk: The source of the risk, such as internal processes, external events, or human error.

3. Business area: The business area or function where the risk occurs, such as lending, trading, or operations.

4. Product or service: The specific product or service that is associated with the risk, such as a specific loan product or investment portfolio.

5. Geography: The geographical location where the risk occurs, such as a specific country or region.

6. Legal entity: The legal entity or subsidiary that is associated with the risk.

7. Risk owner: The individual or team responsible for identifying and managing the risk.

8. Risk status: The current status of the risk, such as active, mitigated, or closed.

9. Risk likelihood: The likelihood of the risk occurring, such as high, medium, or low.

10. Risk impact: The potential impact of the risk on the organization, such as high, medium, or low.

11. Risk priority: The priority of the risk based on its likelihood and impact, such as high, medium, or low.

12. Risk response: The current response to the risk, such as acceptance, avoidance, mitigation, or transfer.

13. Risk trigger: The event or condition that may trigger the risk.

14. Risk consequence: The potential consequences of the risk occurring.

15. Risk key performance indicator (KPI): The KPI that is used to measure the risk and track its performance.

0 views0 comments

Recent Posts

See All

How to Measure the Impact of a Risk

Loss View A simple worst case loss view can be taken per risk in cash amount, usually defined as the worst case loss from the Risk Manifesting at its highest severity. Severity is generally viewed as

How to measure the probability of a Risk

There are several probability measures that an organization might use in a risk identification process, including: I. Qualitative probability: Qualitative probability involves using subject

Embedding Risk Identification into your Company

To embed a risk identification process into a company: I. Run the risk identification process periodically, updating the risk register and taking action on the material risks, it is importa

Comments


bottom of page