Risk Taxonomy

From Open Risk Manual


A Risk Taxonomy is the (typically hierarchical) categorization of risk types. A common approach is to adopt a tree structure, whereby risks higher in the hierarchy are decomposed into more specific (granular) manifestations.

Constructing a risk taxonomy follows the practice and science of general taxonomies, classifying things or concepts, including the principles that underlie such classifications. The outcome is a classification scheme, a formal list of concepts (Risk Types), denoted by controlled words (labels), generally arranged in tree form, from abstract to specific. The concepts are related by subtype - supertype relations.

A risk taxonomy is defined always from the view point of a concrete agent (e.g representing the management of an organization) that aims to manage risks (the effect of uncertainty on the organizational objectives). Other stakeholders to an organization will have related by not necessarily identical classification of organizational risks (defined in relation to their own objectives). The organizational structure and the objectives of the agent engaging in risk management determine the scope and content of the taxonomy.

While various attributes may characterise a good (useful) risk taxonomy as outlined below, there is no unique taxonomy for a given domain as the aspects chosen to classify risks can be drawn for a very large set.


  • The root node of the taxonomy denotes the aggregation of all types of relevant (in-scope) risks to the organization
  • The child nodes (leaves of the tree) are more specific manifestations of Risk Type. Child nodes can be thought of as the range of values of a Categorical Variable
  • There is a flexible number of taxonomy levels, which need not be the same across the taxonomy
  • The arrangement of nodes at any given level is not pre-ordained and can be a tree or a matrix


  • Comprehensive Coverage: At any level of the hierarchy
    • the totality of risk types aggregate to the super-type and
    • any risk within the super-type belongs to one of the subtypes
  • Granularity: The taxonomy has sufficient granularity to distinguish risk types that have their own unique attributes
  • Definitional Clarity: To prevent overlap, at any level of the hierarchy, a risk belongs to one and only one risk type
  • Stability over Time: Risks can be assigned to appropriate risk types in a consistent way over longer time horizons


A risk taxonomy enters in Risk Management activity as a tool to help with a variety of tasks:

Risk Taxonomies in Financial Services

There is no over-arching risk taxonomy that applies consistently to the entire financial services industry (let alone to the risk management of non-financial businesses). A high level segmentation into the following categories has been common practice for several decades[1]

Regulatory Risk Taxonomies

There are a number of separate taxonomies implicit or explicit in the extant regulatory frameworks for financial institutions, policy initiatives etc:

While not a formal risk taxonomy, the segmentation of BCBS Regulatory Topic Taxonomy is indicative of the high level domain knowledge segmentation that governs regulatory approaches

Industry Risk Taxonomies

Various industries develop their own risk taxonomies, either explicitly as a published taxonomy or implicit in a schema for collection and storage of Risk Event data. We include here links to such taxonomies (to the extend that they are publicly available):

Open Risk Taxonomy

The Open Risk Taxonomy[6] is an open source risk classification framework developed by Open Risk. The primary objectives of this taxonomy are:

  • to provide means to organize the material incorporated in the Open Risk Manual
  • to support the development of a comprehensive and consistent set of Open Source Risk Management Software.

The Open Risk Taxonomy aims to be a holistic picture of risks facing an organization (in particular financial organizations) in support of Holistic risk management. The highest level decomposition (and a distinctive future of the taxonomy) is the use of contracting as key differentiator of risk types

  • Contractual Risks which (typically) allow better defined notions of risk exposure, which in turn renders them more amenable to Risk Quantification
  • Business Risks, which are not explicitly linked to contractual relationships, and thus are generally less tangible / harder to quantify, although decidedly not less real or with lower potential impact

Risk Taxonomy Tree

You can browse the current Open Risk Taxonomy by clicking on the arrows of the taxonomy tree below. Nodes that have further subdivisions are indicated with a blue arrow. End-nodes lead to the corresponding category definition and the list of articles belonging to that.

NB: The structure of the taxonomy (especially the more granular levels) is still under active development!

Issues and Challenges

  • Risk types in practice may exhibit significant overlap either due to poor definition or due to the fact that a complex Risk Event intrinsically maps to multiple risk types
  • The subjective and ever changing nature of many financial system risks means that (in contrast with more durable taxonomies of physical phenomena), risk taxonomies need to be constantly revisited to assess whether they continue being relevant (Emerging Risk)
  • One of the weaknesses of using exclusively regulatory prescriptions as the basis for an internal risk management taxonomies is that the regulatory (external) perspective places less weight to day-to-day operational and Business Model Risk

See Also


  1. Crouhy, Galai, Mark, Risk Management, 2001
  2. BCBS, Principles for the Sound Management of Operational Risk
  3. Policy Advice On the Basel III Reforms: Operational Risk, EBA-Op-2019-09b 2 August 2019
  4. EBA, Final Guidelines on ICT Risk Assessment under SREP
  5. TCFD Report, Recommendations of the Task Force on Climate-related Financial Disclosures, 2017
  6. Open Risk Taxonomy White Paper, 2015