To better recognize, understand and mitigate all of their risks, effective financial institutions aspire to speak a common language that covers business processes, risk-rating scales and taxonomies for risks and controls. What factors should they consider when creating this language and what specific steps are needed to build an enterprise-wide risk taxonomy?
Friday, July 16, 2021
By Brenda Boultwood
Every firm needs a comprehensive enterprise risk management (ERM) strategy to identify, assess and manage risks consistently across critical business processes, in all business units. But true risk aggregation and integration can only be achieved after the establishment of a hierarchical common language of risk and common risk-rating scales.
Indeed, the creation of a common risk language for the organization is key to the development of an ERM taxonomy. As we'll discuss a bit later in this article, firms that succeed in this development will benefit from simpler, more streamlined discussions of risks that will ultimately yield improvements in risk measurement, risk-event reporting, risk appetite, metrics monitoring and scenario planning.
A common language should include the risk taxonomy, control taxonomy, business processes and risk-rating scales. The first step, as illustrated in Figure 1, is agreeing on the risk categories.
Figure 1: Risk Taxonomy Categories
The risk taxonomy spells out the key terms and definitions a firm uses to describe its risks, and creates the language used for risk identification in key end-to-end business processes. Controls mitigate the impact or probability of a risk, and are linked to each risk to understand residual risk levels. Residual risks reflect levels of inherent risk, minus mitigating controls.
Figure 2 depicts an approach to defining a taxonomy's hierarchical granularity.
Figure 2: A Hierarchical Risk Taxonomy, Levels 1 - 4
The second step in developing an ERM taxonomy is collaboration. Organizational acceptance of a common risk taxonomy can be fostered through a collaborative process in which the risk management organization asks departments for their assistance in naming and defining the ERM taxonomy.
Portions of the risk taxonomy are typically authored by varied business units, which collaborate to bring deep expertise to the terms and definitions. To reflect learnings and changes in business strategy, these groups should be actively engaged in the regular updates to the taxonomy.
For example, human resources (HR) may provide the names and definitions of people risks; the chief information security officer (CISO) may name and define the organization's digital risks; the communications/PR group may assist with names and definitions of reputational risks; and the corporate facilities group may assist in naming and defining physical security risks
Business Processes and Controls
All business and functional units should use the full ERM risk taxonomy to identify risks in their critical end-to-end business processes. Each department must own the risks in their business processes.
An end-to-end business process is the chain of activities that results in an outcome. Examples could include new vendor onboarding, new customer acquisition, new loan origination and employee benefit payments.
Creating a taxonomy for controls is the third step in ERM taxonomy development, and is critical for calculating residual risks.
Figure 3: Elements of a Control Taxonomy
At the third level, business units would typically name actual controls, with a mapping to a unique level 2 control name. Control attributes - such as manual vs. automated or preventative vs. detective - need to be maintained for the level 3 business controls.
Risk Taxonomy Uses
The risk taxonomy forms the backbone of ERM and allows consistent understandings across the different types of risk measurement. Step 4 in the ERM development process is putting the risk taxonomy to work.
Figure 4: Uses of an ERM Risk Taxonomy
Let's now take a closer at each of these applications:
Risk appetite is often based on level 1 risk categories. For example, the board may accept medium levels of operational risk when the business is growing fast and new markets are being explored.
Risk control self-assessments (RCSAs) allow the identification of a full spectrum of enterprise risks in an end-to-end business process.
Risk events are captured across the organization and categorized by Level 3 or 4 risk types to allow analysis of loss patterns and their root causes.
Reporting, by level, can ensure appropriate granularity for each audience of the risk report. The board and senior management may be interested in the aggregated summary discussions of level 1 risk categories.
Horizon scanning entails monitoring of external risks (such as cyber threats), compliance requirement changes and social media coverage.
Tail event and scenario planning cover the spectrum of enterprise risks, focused on those that are least understood or represent the largest perceived potential failures.
Metrics for bottom-up risk appetite monitoring are based on the ERM taxonomy, and tied to level 1 risk categories used by the board for an expression of risk appetite.
The bottom line is that business discussions of risks will become simpler and more streamlined when based on a common taxonomy.
Standard risk and control taxonomies, with associated measurement scales, are at the heart of an effective ERM program. They allow for consistent risk discussions and meaningful risk aggregation.
There is no one-size-fits-all approach to an ERM taxonomy, but adoption can be facilitated through collaboration with business practitioners. A successful taxonomy codifies the risk language most frequently used and understood within an organization.
Brenda Boultwood is the Director of the Office of Risk Management at the International Monetary Fund. The views expressed in this article are her own and should not be attributed to IMF staff, Management or Executive Board.
She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Currently, she serves on the board of directors at the Anne Arundel Workforce Development Corporation.
Earlier in her career, Boultwood was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. She also previously worked as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.