This is part 2 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about what makes a strong risk taxonomy and how you can keep your risk classification consistent so you can build an overall risk profile.
Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. A common issue we find with many clients who have implemented and are running a risk management program / risk management framework, is that they face disconnected, disparate and disaggregated risk processes and related information, which makes it very difficult to bring together to provide an overall risk profile for the board and executive management.
One solution to this problem is to look at two things:
The first step is to create a strong risk taxonomy. That is a library of risk classifications / risk names which can be used to aggregate information up at the highest level and help analyse that information.
One of the problems with these risk taxonomies is they can get messy very easily and they can be confusing. Why? The reason is lack of consistency.
The problem is that risk is made up of many parts, five in particular:
We have the root cause of the risk. We have the events of the risk. We have failed critical processes that are caused by the risk and we have the impact of the risk. On top of that, we then have the controls over that risk.
Now, if we define a risk using all of those, it may include things such as reputation risk, which is an impact, a failed payment process which is a failed critical process, loss of confidential information, which is an event and failed reconciliation, which is a failed control. All of these are inconsistent and cause confusion.
Therefore, a good taxonomy of risk will be based on one and one of those only. We suggest the most important one is risk events. That is having a classification of risk events that go all the way up to the Board of Directors and cascade down to the coalface.
Screenshot of a Risk Event Central Library from the Protecht.ERM system showing risks grouped under Risk Appetite Categories.
A good example of this would be an event library that would maybe have 10 to 15 level one risks, that might dis-aggregate down into 30, 40, 50 level two risks as granularity increases. Once you've got that, you can then do the same with your risk causes, your processes, your impacts and your controls.
Please check out our other blogs and videos and until next time, take care.
Click below to watch our webinar recording and learn how you can organise hierarchies in a central library and how to deal with new risks raised by the system:
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).