This is part 2 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about what makes a strong risk taxonomy and how you can keep your risk classification consistent so you can build an overall risk profile.
Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. A common issue we find with many clients who have implemented and are running a risk management program / risk management framework, is that they face disconnected, disparate and disaggregated risk processes and related information, which makes it very difficult to bring together to provide an overall risk profile for the board and executive management.
One solution to this problem is to look at two things:
- Firstly is to create the key building blocks of the risk management framework both in terms of process and information.
- Secondly, bring all that information together in an aggregated and connecting way.
The first step is to create a strong risk taxonomy. That is a library of risk classifications / risk names which can be used to aggregate information up at the highest level and help analyse that information.
One of the problems with these risk taxonomies is they can get messy very easily and they can be confusing. Why? The reason is lack of consistency.
The problem is that risk is made up of many parts, five in particular:
- Root Cause
- Risk Events
- Critical Processes
- Risk Impacts
- Risk Controls
We have the root cause of the risk. We have the events of the risk. We have failed critical processes that are caused by the risk and we have the impact of the risk. On top of that, we then have the controls over that risk.
Now, if we define a risk using all of those, it may include things such as reputation risk, which is an impact, a failed payment process which is a failed critical process, loss of confidential information, which is an event and failed reconciliation, which is a failed control. All of these are inconsistent and cause confusion.
Therefore, a good taxonomy of risk will be based on one and one of those only. We suggest the most important one is risk events. That is having a classification of risk events that go all the way up to the Board of Directors and cascade down to the coalface.
Screenshot of a Risk Event Central Library from the Protecht.ERM system showing risks grouped under Risk Appetite Categories.
A good example of this would be an event library that would maybe have 10 to 15 level one risks, that might dis-aggregate down into 30, 40, 50 level two risks as granularity increases. Once you've got that, you can then do the same with your risk causes, your processes, your impacts and your controls.
Please check out our other blogs and videos and until next time, take care.
Build a first rate risk and control taxonomy
Click below to watch our webinar recording and learn how you can organise hierarchies in a central library and how to deal with new risks raised by the system:
Other videos in this series:
- Part 1 - Solving the Problem by Integrating the Building Blocks of Risk Management
- Part 3 - Risk and Control Self Assessment (coming soon)
- Part 4 - Are you intimate with your controls? (coming soon)