Risk Taxonomy

From Open Risk Manual


A Risk Taxonomy is the (typically hierarchical) categorization of risk types. A common approach is to adopt a tree structure, whereby risks higher in the hierarchy are decomposed into more specific (granular) manifestations.

Constructing a risk oriented taxonomy follows the general practice and science of taxonomies (classifying things or concepts, including the principles that underlie such classifications).

Risk Taxonomies in Financial Services

There is no over-arching risk taxonomy that applies consistently to the entire financial services industry, let alone to the risk management of broader business / organizational models.

The risk taxonomy enters in risk management activity as a tool to help primarily with the following two tasks:

  • Establish a degree of completeness in the coverage of risks
  • Identify potential linkages between risks factors

Regulatory Risk Taxonomies

There are a number of separate taxonomies implicit or explicit in the extant regulatory frameworks for financial institutions:

The Open Risk Taxonomy

The Open Risk Taxonomy[3] is an open source risk classification framework developed by Open Risk and used also within the Open Risk Manual. The primary objectives of this taxonomy are:

  • to provide means to organize the material incorporated in the Open Risk Manual
  • to support the development of a comprehensive and consistent set of Open Source Risk Management Software.

The Open Risk Taxonomy is primarily based on the distinction between contractual and business process risks

Taxonomy Tree

You can browser the taxonomy by clicking on the arrows

Issues and Challenges

  • The subjective and ever changing nature of many financial system risks means that (in contrast with more durable taxonomies of physical phenomena), risk taxonomies need to be constantly revisited to assess whether they continue being relevant
  • One of the weaknesses of using exclusively regulatory prescriptions as the basis for an internal risk management taxonomies is that the regulatory (external) perspective places less weight to day-to-day and (until recently) business model sustainability


  1. BCBS, Principles for the Sound Management of Operational Risk
  2. EBA, Final Guidelines on ICT Risk Assessment under SREP
  3. Open Risk Taxonomy White Paper, 2015

Contributors to this article

» Wiki admin