Developing a comprehensive risk taxonomy

Elgin Chetsanga

The role of a risk taxonomy

Creating and implementing a risk taxonomy for your organisation is an important step towards adequately managing all the key risks your organisation faces.

Risk taxonomies attempt breakdown the complex and large risk universe into simple categories. These categories then feed into various risk tools and processes. So important are risk taxonomies that they can often be used to determine committee structures and even organisational structures.

What is a risk taxonomy?

Risk taxonomies origins are borrowed from the field of science. For example, in Biology there is a classification of plants and animals and this is essentially the same concert with Risk taxonomies.

According to the Association for Financial Professionals, a risk taxonomy is a comprehensive, common and stable set of risk categories that is used within an organisation.

By providing a comprehensive set of risk categories, it encourages those involved in risk identification to consider all types of risks that could affect the organisation’s objectives. A risk taxonomy thus provides a common set of risk categories that allow easier aggregation and reporting of risks across your organisation.

Importance of risk taxonomy

A risk taxonomy forms the foundation for key risk management pillars such as risk strategy, risk appetite, risk policies and procedures. When effectively used, the risk taxonomy can support a wide range of risk measurement and management processes, including risk reporting, event management, scenario analysis, risk control self-assessments (RCSAs), and key risk indicators (KRIs).

Risk taxonomies are also important because they provide consistency and clarity by putting in place a shared language and consistent structure for identifying and classifying risks throughout an organisation.

This helps to avoid scenarios wherein there is disagreement especially across departments on what a specific risk entails.

Additionally, risk taxonomies are important because they provide a comprehensive coverage of all the risks faced by the organisation. This helps reduce blind spots and allows stakeholders to have an enterprise view of risks within the organisation.

Putting in place risk taxonomies also helps in risk prioritisation. Resources are channelled towards the risk categories which display the highest concern. Furthermore, risk taxonomies are critical in supporting regulatory compliance.

Industries such as the financial services require players to conduct continuous risk identification, analysis and reporting and having a taxonomy helps in meeting these requirements. Risk taxonomies are also important in building risk culture and enhancing decision making.

Developing a risk taxonomy

There are many approaches to creating a risk taxonomy which involves several steps. I will highlight one approach. When putting a taxonomy in place it is important to start off by understanding the business context.

It is vital to understand the business context, objectives, and strategies because this often shows the types of risks that are most relevant to the organisation and its objectives.

Secondly it is important to identify the actual risks by listing existing and potential threats that the organisation may face. This stage ought to be as comprehensive as possible to ensure that the risk coverage is high.

After the heavy lifting of identifying the risks that the organisation faces, the next task is to sort the identified risks into categories.

An organisation has the choice to either use standard risk categories like strategic, operational, and compliance or create its own based on its specific risk landscape. In most case, risk types are standard across industries and this makes the work of classification much easier.

Depending on the depth and granulity desired, categories can be further broken down in into subcategories for more detail. For example, under the category of operational risks, you might have subcategories like people risk, legal risk , fraud risk etc.

An important part of the developing your taxonomy will also be ensuring that all the risks identified are defined clearly.

Giving a common definition for risks helps stakeholder to understand the nature and implications of a particular risk. Once the taxonomy is in place it should be communicated and integrated into its risk management systems and processes.

Lastly the taxonomy should be reviewed and updated on a continuously basis taking into account any changes to the risk universe, changes to business strategies, regulatory changes and other environmental factors.

Common types of risk categories

There are some common risk types which appear in most risk taxonomies. These risk types often include strategic risk, financial risk, compliance risk, reputational risk and environmental risk. We take a closer look at strategic risks , which are risks that affect the company’s strategic goals and objectives.

They can include things like competitive pressure, market trends, mergers and acquisitions, etc. The subcategories for this risk often include country risk, business performance risk, capital risk and other strategic type risks.

As a sub category, country risk is defined as the risk of loss when the company is impacted by changes in the business environment in a country in which it operates ,or where its capital in a subsidiary is negatively impacted by changes in the business environment in the country where the subsidiary operates.

Business performance risk is defined as the risk that the firm is exposed to income volatility because of changes in the economic environment, deficient implementation of business decisions. Capital risk is defined as risk that the firm has an insufficient level or composition of capital to support its normal business activities and to meet its regulatory capital requirements under normal operating environments or stressed conditions.

Other risk categories include: financial risk that cover risks related to the financial aspects of a business, such as liquidity, credit, market, and interest rate risks. Compliance/Legal risks are also another common risk category.

Compliance/Legal risks deal with threats related to compliance with laws and regulations and lastly, Environmental risks, which are becoming very topical. This category of risks could include risks related to the impact of the company’s activities on the environment.

In summary

Developing a risk taxonomy should not be seen to be the end goal, but rather as an important means to an end. The goal of any risk management Function should be to adequately manage all the key risks your organisation faces and in today’s ever evolving environment this includes, managing emerging risks.

Therefore, your risk taxonomy should not be static and should be regularly reviewed to reflect changing dynamics in the organisation’s internal and external environment whilst not losing sight of the risks of today.

Elgin Chetsanga is a head of risk at a local financial institution. He writes in his personal capacity. Elgin can be reached on [email protected]

facebookShare on Facebook
TwitterPost on X
FollowFollow us
PinterestSave

Related Posts

LIVE: Independence Day Main Celebrations in Maphisa, Matabeleland South Province
LIVE: Independence Day Main Celebrations in Maphisa, Matabeleland South Province

Welcome to our Live Blog from Maphisa Stadium, Matabeleland South Province. As Zimbabwe marks its 46th Independence anniversary today, the dusty plains of Maphisa have come alive, carrying more than…

Continue reading
WATCH: President Mnangagwa arrives in Bulawayo for Children’s Party in Maphisa
WATCH: President Mnangagwa arrives in Bulawayo for Children’s Party in Maphisa

Peter Matika, [email protected] President Mnangagwa has arrived in Bulawayo en route to Maphisa, where he is expected to preside over the pre-Independence Children’s Party at Mahetshe Primary School. President Mnangagwa…

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

×
×