This is part 2 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about what makes a strong risk taxonomy and how you can keep your risk classification consistent so you can build an overall risk profile.

HubSpot Video

Video Transcription

Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. A common issue we find with many clients who have implemented and are running a risk management program / risk management framework, is that they face disconnected, disparate and disaggregated risk processes and related information, which makes it very difficult to bring together to provide an overall risk profile for the board and executive management.

One solution to this problem is to look at two things:

  1. Firstly is to create the key building blocks of the risk management framework both in terms of process and information.
  2. Secondly, bring all that information together in an aggregated and connecting way.

Risk Taxonomies

The first step is to create a strong risk taxonomy. That is a library of risk classifications / risk names which can be used to aggregate information up at the highest level and help analyse that information.

One of the problems with these risk taxonomies is they can get messy very easily and they can be confusing. Why? The reason is lack of consistency.

The problem is that risk is made up of many parts, five in particular:

  1. Root Cause
  2. Risk Events
  3. Critical Processes
  4. Risk Impacts
  5. Risk Controls

We have the root cause of the risk. We have the events of the risk. We have failed critical processes that are caused by the risk and we have the impact of the risk. On top of that, we then have the controls over that risk.

Now, if we define a risk using all of those, it may include things such as reputation risk, which is an impact, a failed payment process which is a failed critical process, loss of confidential information, which is an event and failed reconciliation, which is a failed control. All of these are inconsistent and cause confusion.

Therefore, a good taxonomy of risk will be based on one and one of those only. We suggest the most important one is risk events. That is having a classification of risk events that go all the way up to the Board of Directors and cascade down to the coalface.

Protecht.ERM-Risk-Taxonomy-Risk-LibraryScreenshot of a Risk Event Central Library from the Protecht.ERM system showing risks grouped under Risk Appetite Categories.

A good example of this would be an event library that would maybe have 10 to 15 level one risks, that might dis-aggregate down into 30, 40, 50 level two risks as granularity increases. Once you've got that, you can then do the same with your risk causes, your processes, your impacts and your controls.

Please check out our other blogs and videos and until next time, take care.

Build a first rate risk and control taxonomy

Click below to watch our webinar recording and learn how you can organise hierarchies in a central library and how to deal with new risks raised by the system:

New call-to-action

Other videos in this series:

Related Articles

feature image
Enterprise Risk Management, Risk Reporting, Risk Management Software, Risk Management Framework

4 Ways Marketplace Will Change Your Enterprise Risk Management

Establishing an ERM system can be as daunting as building a house from the ground up. There are hundreds of decisions to be made that will affect how...
Read more
feature image
Compliance Management, Risk Management, Risk Reporting, Videos, Compliance Professionals

Modern Slavery - Being Prepared

Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan...
Read more
feature image
ERM, Risk Controls, Risk Manager, Risk Management Software, Videos, Webinars

Controls Assurance Webinar

Awesome Controls Assurance: The Confidence to Go Faster This event was done live on Oct.22nd 2019. Access the recording here. “The greatest potential...
Read more