Developing an industry op risk taxonomy: phase one

  • 15 July 2019

We've just started the second phase of our work on developing an industry taxonomy. The second stage digs deeper into level 2 risks to develop an enhanced operational risk/non-financial risk (NFR) taxonomy.

Find out more about phase two of our developing an industry operational risk taxonomy project

Moving from ‘passive’ to ‘active’ operational risk management

“The discipline of operational risk management in financial services is at a crossroads. As the leading operational risk association for the sector, our role is to bring people together, identify these changes in ‘mood’, and act as a catalyst for collective change.” 

“At our Heads of Operational Risk Forum in New York, May 2018, it was clear to us that the industry leaders have been acting on one such foundational shift  taxonomies," says Nick Benson, Head of Change at ORX. "They have moved on significantly from just using the Basel event types.

“We surveyed 44 of the world’s largest financial services companies. The resulting report Developments in risk taxonomies details the findings of that research and our resulting new reference taxonomy for classifying risk.

 “While operational risk is already a significant part of the overall risk profile, it’s less clear to us that operational risk frameworks, including taxonomies, have evolved in a way that would enable the industry to adopt a more proactive management of risk.

“We believe that all financial services companies will need to evaluate their own frameworks. Tools and processes that are currently geared towards calculating regulatory capital will need to be fundamentally re-oriented, if they want to proactively manage risk.”

Here are the key conclusions of our member survey and analysis of the results.

Taxonomies are hard to change

Taxonomies support a wide range of risk measurement and management processes, including risk control self-assessments (RCSAs), reporting, event management, scenario analysis, and key risk indicators (KRIs). They are used across many tools and processes, are integrated with committee structures, and sometimes even organisational structures. All of this makes taxonomies difficult and costly to change and implement. The case for change has to be incredibly robust.

A common language is essential

A common, centralised language covering the wide range of operational risks is an essential first step. Without a common language, inconsistent and siloed information proliferates, and makes the job of risk management significantly more difficult. Creating a common language will enable meaningful conversations both within and across industries.

The industry knows it must improve

Existing language has served the operational risk discipline for more than 15 years. But a different type of risk taxonomy is now evident, driven by the need to be clear, current and complete.

  • Clear – the new taxonomy must be fully understood by a broad set of stakeholders.
  • Current – taxonomies must reflect the changing business environment and risk profile. This will prioritise attention on and be responsive to today’s material risks.
  • Complete – we must provide a centralised source of truth so that the operational risk umbrella function can take and enable a holistic view of risks and frameworks.

The new approach is pragmatic

The new approach to developing a risk taxonomy is based on pragmatism more than academic purity. Of the firms we surveyed, 90 per cent are already using more than just the event types defined by Basel.

In the process of analysing over 4,000 lines of data, we identified areas of commonality among those firms that have developed their own taxonomy, with two key themes emerging:

Additional granularity means more than just Basel

The first step for many firms has been to use the Basel event types as a starting point, adding a further level tailored to their specific firm for additional granularity.

Best practice in the industry now appears to comprise companies that have moved on significantly from the Basel event types. Typically, at level one, these taxonomies are twice as large as Basel with current key risks elevated to top-level categories.

Impact or cause?

There is an ongoing debate as to whether certain risk themes should form part of the risk taxonomy or be reflected as impacts or causes. The prevailing, pragmatic approach is epitomised by the fact that some firms use ‘flags’ to identify certain risk themes rather than changing the taxonomy.

Consistency of approach is achievable

Our analysis shows that there is still significant divergence – for example, in the way conduct is treated. We held two roundtable events to discuss some of these areas of difference and to canvas ideas on how to continue evolving the reference taxonomy.

The output of these events and ongoing discussion helped shape the future of risk information sharing, one of the central pillars of our strategy moving forward.

An ORX reference taxonomy is now emerging

Since 2002, ORX has been developing a global community of financial institutions committed to improving the management and measurement of operational risk. We research, improve understanding, and share knowledge to benefit our members and the wider sector.

Organisations can use our results as a means of identifying differences to their own taxonomy. As we consult, debate and learn more, we will continue to build a picture of the ideal risk taxonomy with the objective of helping the global financial services industry align behind a common approach. 

ORX phase one operational and non-financial risk reference taxonomy

Basel event types and the ORX reference taxonomy

Taxonomy phase two

We've just started the second phase of our work on an industry operational risk/non-financial risk (NFR) taxonomy. This stage will dig deeper into level 2 risks.

Find out about phase two of our op risk taxonomy project