Risk Taxonomy

Definition

A Risk Taxonomy is the (typically hierarchical) categorization of risk types. A common approach is to adopt a tree structure, whereby risks higher in the hierarchy are decomposed into more specific (granular) manifestations.

Constructing a risk taxonomy follows the practice and science of general taxonomies, classifying things or concepts, including the principles that underlie such classifications. The outcome is a classification scheme, a formal list of concepts (Risk Types), denoted by controlled words (labels), generally arranged in tree form, from abstract to specific. The concepts are related by subtype - supertype relations.

A risk taxonomy is defined always from the view point of a concrete agent (e.g representing the management of an organization) that aims to manage risks (the effect of uncertainty on the organizational objectives). Other stakeholders to an organization will have related by not necessarily identical classification of organizational risks (defined in relation to their own objectives). The organizational structure and the objectives of the agent engaging in risk management determine the scope and content of the taxonomy.

While various attributes may characterise a good (useful) risk taxonomy as outlined below, there is no unique taxonomy for a given domain as the aspects chosen to classify risks can be drawn for a very large set.

Structure

The root node of the taxonomy denotes the aggregation of all types of relevant (in-scope) risks to the organization
The child nodes (leaves of the tree) are more specific manifestations of Risk Type. Child nodes can be thought of as the range of values of a Categorical Variable
There is a flexible number of taxonomy levels, which need not be the same across the taxonomy
The arrangement of nodes at any given level is not pre-ordained and can be a tree or a matrix

Requirements

Comprehensive Coverage: At any level of the hierarchy
- the totality of risk types aggregate to the super-type and
- any risk within the super-type belongs to one of the subtypes
Granularity: The taxonomy has sufficient granularity to distinguish risk types that have their own unique attributes
Definitional Clarity: To prevent overlap, at any level of the hierarchy, a risk belongs to one and only one risk type
Stability over Time: Risks can be assigned to appropriate risk types in a consistent way over longer time horizons

Usage

A risk taxonomy enters in Risk Management activity as a tool to help with a variety of tasks:

Establish the degree of completeness in the coverage of risks (informing the organizational Risk Framework)
Help risk managers with Risk Identification by providing an analytic framework
Support lower level implementations such as Internal Controls or Risk Tools used in Quantitative Risk Management
Enable more effective Risk Aggregation
Identify potential linkages between the risks factors behind different risk type categories

Risk Taxonomies in Financial Services

There is no over-arching risk taxonomy that applies consistently to the entire financial services industry (let alone to the risk management of non-financial businesses). A high level segmentation into the following categories has been common practice for several decades^[1]

Credit Risk
Market Risk
Operational Risk
Liquidity Risk
Legal and Regulatory Risk
Human Factor Risk
Supply Chain Risk

Regulatory Risk Taxonomies

There are a number of separate taxonomies implicit or explicit in the extant regulatory frameworks for financial institutions, policy initiatives etc:

The high level segmentation into Credit, Market, Operational and Liquidity Risk mentioned above is also embedded in the Basel Standards
The Basel II Operational Risk Taxonomy^[2]
EBA Taxonomy on Operational Risk^[3]
The IT Risk taxonomy^[4]
The Climate-Related Risk Taxonomy^[5]
The EU Sustainable Finance Taxonomy

While not a formal risk taxonomy, the segmentation of BCBS Regulatory Topic Taxonomy is indicative of the high level domain knowledge segmentation that governs regulatory approaches

Industry Risk Taxonomies

Various industries develop their own risk taxonomies, either explicitly as a published taxonomy or implicit in a schema for collection and storage of Risk Event data. We include here links to such taxonomies (to the extend that they are publicly available):

The VERIS Vocabulary for Event Recording and Incident Sharing

Open Risk Taxonomy

The Open Risk Taxonomy^[6] is an open source risk classification framework developed by Open Risk. The primary objectives of this taxonomy are:

to provide means to organize the material incorporated in the Open Risk Manual
to support the development of a comprehensive and consistent set of Open Source Risk Management Software.

The Open Risk Taxonomy aims to be a holistic picture of risks facing an organization (in particular financial organizations) in support of Holistic risk management. The highest level decomposition (and a distinctive future of the taxonomy) is the use of contracting as key differentiator of risk types

Contractual Risks which (typically) allow better defined notions of risk exposure, which in turn renders them more amenable to Risk Quantification
Business Risks, which are not explicitly linked to contractual relationships, and thus are generally less tangible / harder to quantify, although decidedly not less real or with lower potential impact

Risk Taxonomy Tree

You can browse the current Open Risk Taxonomy by clicking on the arrows of the taxonomy tree below. Nodes that have further subdivisions are indicated with a blue arrow. End-nodes lead to the corresponding category definition and the list of articles belonging to that.

NB: The structure of the taxonomy (especially the more granular levels) is still under active development!

▼ Risk Taxonomy

▼ Business Risk

► Business Model Risk Ontology

► Franchise Risk

► Funding Risk

► Human Resources

► Market Risk

► Operational Risk

► Revenue Risk

▼ Contractual Risks

► Credit Risk

► Human Resources Risk

► Inflation Risk

► Insurance

► Interest Rate Risk

► Market Risk

► Optionality Risk

► Third Party Risk

► Disaster Risk

no subcategories

► Force Majeure Risk

no subcategories

► Occupational Risk Taxonomy

no subcategories

Issues and Challenges

Risk types in practice may exhibit significant overlap either due to poor definition or due to the fact that a complex Risk Event intrinsically maps to multiple risk types
The subjective and ever changing nature of many financial system risks means that (in contrast with more durable taxonomies of physical phenomena), risk taxonomies need to be constantly revisited to assess whether they continue being relevant (Emerging Risk)
One of the weaknesses of using exclusively regulatory prescriptions as the basis for an internal risk management taxonomies is that the regulatory (external) perspective places less weight to day-to-day operational and Business Model Risk

References

↑ Crouhy, Galai, Mark, Risk Management, 2001
↑ BCBS, Principles for the Sound Management of Operational Risk
↑ Policy Advice On the Basel III Reforms: Operational Risk, EBA-Op-2019-09b 2 August 2019
↑ EBA, Final Guidelines on ICT Risk Assessment under SREP
↑ TCFD Report, Recommendations of the Task Force on Climate-related Financial Disclosures, 2017
↑ Open Risk Taxonomy White Paper, 2015

[1] Crouhy, Galai, Mark, Risk Management, 2001

[2] BCBS, Principles for the Sound Management of Operational Risk

[3] Policy Advice On the Basel III Reforms: Operational Risk, EBA-Op-2019-09b 2 August 2019

[4] EBA, Final Guidelines on ICT Risk Assessment under SREP

[5] TCFD Report, Recommendations of the Task Force on Climate-related Financial Disclosures, 2017

[6] Open Risk Taxonomy White Paper, 2015

[1]

[2]

[3]

[4]

[5]

[6]

Risk Taxonomy

Contents

Definition

Structure

Requirements

Usage

Risk Taxonomies in Financial Services

Regulatory Risk Taxonomies

Industry Risk Taxonomies

Open Risk Taxonomy

Risk Taxonomy Tree

Issues and Challenges

See Also

References