Speaking the same risk language is an essential part of any successful enterprise risk management (ERM) program. Without a proper risk taxonomy, after all, risk management is nothing but anecdotal stories, with no ability to see risk trends or understand risk management priorities.
The taxonomy, indeed, forms the foundation of decision support and risk communication, and is crucial to risk aggregation and analytics. For global companies, however, implementing a standard risk language is a daunting task – partly because vocabulary tends to vary across different business units and geographies.
What is a risk taxonomy? And why is it vital for risk aggregation?
Risk Taxonomy: Definition and Role in ERM
Brenda Boultwood
A risk taxonomy is a hierarchical classification system for categorizing and defining the risks an organization may encounter. It guides risk identification and is essential to risk aggregation. Leading private and public sector companies employ risk taxonomies, which create a standard vocabulary of risk across an organization.
After a risk taxonomy is established, risks can be identified across an organization’s objects. A careful description of the risk taxonomy in a firm’s risk management policy guarantees the risk owner accountability for actions related to risks, across all risk management activities. This is key to the ERM development process (see Figure 1).
Figure 1: An Overview of Enterprise Risk Management Processes
Value Proposition of a Well-Defined Taxonomy
A standardized language of risk offers many benefits. It minimizes misunderstandings about the risk issues facing a business, and can be designed to cover a wide range of risks – preventing any from going unrecognized.
When combined with standard rating scales for probability and impact, a shared risk taxonomy will also enable risk aggregation, trend analysis and prioritization. Moreover, it allows granular risks with bespoke names to be mapped to standard risk names at higher levels in the taxonomy, ensuring organizational flexibility and adaptability.
Illustrative Risk
Large financial institutions should develop standard terminology and definitions for at least the first two levels of their risk taxonomy (see Figure 2). The terminology, of course, will differ across organizations, and should be adapted to reflect the vocabulary of your business.
Figure 2: Illustrative “Levels 1 and 2” Risk Taxonomy
As risk management practices mature, additional risk taxonomy levels should be defined to allow an organization to cater to its local needs. For example, “business risk” may be a level 1 risk category, while level 2 could be “budget adequacy and pressures.” Level 3, meanwhile, could cover, for example, the net interest income (NII) margin squeeze in commercial lending.
It's important to note that level 3 risk could be identified by different names across different geographies. In the U.S., for example, it could be called “Competitive Compression of Trust Fees,” whereas in the UK it could be named “Trust Cost Competition.”
Joshua Switzer
Whatever we call the local level 3 risk, it will map to the same corporate level 2 risk, “budget adequacy and pressures.” This ensures senior management can not only understand the aggregate risk but also drill down to the relevant risk across business and geographic areas.
This specificity is required to ensure your employees understand the language and that your organization consistently applies risk management processes, even when it operates globally. This additional granularity also allows the risk language to be tuned appropriately for each business area and local language.
Practical Advice
The ability of risk management processes to reflect the language of each business area, operating in any region, is important to the sustained success of any ERM program.
As CRO, you can be very clear about the corporate- or group-level risk language of your executives. However, to ensure that local risks are collected correctly and that the risk aggregation process yields a true enterprise risk level, you must be cognizant and respectful of the language in business units spread across different geographic regions.
A Level 2 risk, for example, might be named and described in a way that is understood by the local staff in a specific region. When building a taxonomy, the CRO must account for these local language variations.
Parting Thoughts
Our proposed risk taxonomy framework has six “level one” categories: operational, business, strategic, reputational, financial, and environmental, social and governance (ESG). These categories typically offer complete coverage of a firm’s risks.
The risk taxonomy, in short, guarantees all risks are categorized consistently, simplifying the overall ERM process. It is crucial for enhancing communication and ensuring consistent risk identification, as well as for facilitating risk aggregation and prioritizing decision support. That is why it must be established at the most senior level and propagated throughout the firm.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this article are her own and should not be attributed to the United States Naval Academy or the U.S. Department of Defense.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy. She held a variety of business, risk management, and compliance roles at JPMorgan Chase and Bank One.
Joshua Switzer is a Midshipman at the United States Naval Academy studying Ocean Engineering. His research focuses on risk taxonomy and the risk classification system that will allow the correct identification and assessment of risks when different business units and geographies use different vocabularies.
Topics: Enterprise
