The ORX Reference Taxonomy for operational and non-financial riskSeptember 23, 2020
>> Download PDF <<
A strategic priority for ORX and the operational and non-financial risk community
There has been a substantial change in the operational risks faced in financial services over the last 15 years. Risks such as Conduct, Cyber and Third Party have risen in importance and now dominate boardroom agendas. How organisations think about this expanding portfolio of threats and manage them in a consistent way is underpinned by their risk taxonomy.
This changing risk profile, combined with a recent shift of focus away from capital measurement towards risk management, means that many organisations are updating their operational risk taxonomies. In doing so, they are deviating from Basel Event Types and in the absence of a common standard, we have observed significant divergence.
The strategic priority of this ORX initiative, supported by Oliver Wyman, was to create a common point of reference and thereby solid ground for industry discussion about developing operational risk taxonomies. This lays the foundations which allow consistent industry sharing of insights and data over the coming years.
An industry point of reference
The ORX Reference Taxonomy is our first iteration of a full taxonomy that goes deeper into level 2 risks. It is an enhancement of the award-winning level 1 reference taxonomy which was developed in 2018. At this stage it is provided as a guide to the industry, and to encourage a convergence of thinking; it is not intended as a standard and will not be adopted in the ORX global and regional loss data exchange services. It consolidates information from 60 different taxonomies into a single coherent reference.
To best use this work, it is important to understand that:
1. This is a reference
We have published a reference taxonomy which collates many individual operational risk taxonomies in a sensible way. It is intended as a useful resource against which organisations can benchmark and improve practice. It is unlikely to meet every need without some customisation.
2. It can be used in different ways
Given the thematic nature of some risks (such as cyber), it is possible to adapt the ORX Reference Taxonomy to meet your business needs. For example, users could create meaningful groups of level 2 risks which do not appear within the same level 1 in the reference taxonomy, or they could align reference taxonomy level 2 risks to alternative level 1 risks in their own taxonomy.
3. There is a connection to Basel
It is important to note that taxonomies had not moved completely away from Basel Event Types; more accurately, they had evolved and expanded them. We observed common changes, and the reference reflects this:
A change of language
Some risks closely corresponding to Basel Event Types, but with a change of language.
Greater focus on misconduct
Risks which expand the Clients, Products and Business Practices category and provide greater granularity, such as Compliance, Financial Crime and Misconduct.
An elevation of material concerns
Risks that have risen in prominence and are elevated to level 1. This includes Information Security, Cyber, Data, Model and Third Party.
A level 1 reference taxonomy
In 2018, an ORX research study developed an emerging level 1 ORX Reference Taxonomy. 90% of the 2018 study’s 40 participants had adopted an enhanced taxonomy which captures the key risks they see in today’s business environment, and one which is defined in a language familiar to their business leaders.
It was, however, important to note that a significant majority had not moved completely away from Basel Event Types – more accurately they had evolved and expanded them. This held true for participants who self-identified as following a Basel structure, but also true to an extent with those who self-identified as having developed their own taxonomy.
In some cases, we have observed more wholesale changes, particularly with participants who self-identified as having developed their own taxonomy. This allows more freedom in the way they can express their risk profile. It in turn often results in a larger number of level 1 risks (compared to the Basel structure), reflecting the desire to elevate certain risks to higher prominence.
A full reference taxonomy
Building on the significant interest from ORX members, the wider industry and regulators in the 2018 taxonomy work, ORX has been pleased to work with Oliver Wyman using a larger set of taxonomies to:
1. Develop an updated ORX Reference Taxonomy, including level 2 risks
2. Provide guidance to support and explain the taxonomy
This taxonomy can be used as a key reference to benchmark against and to observe industry trends. It is not a standard specifically intended to be adopted wholesale but can assist organisations in developing their taxonomies, provide industry evidence to support change and allow them to accelerate their thinking.
Working with Oliver Wyman, ORX reviewed an expanded data set of 58 ORX member taxonomies (collected from banks and insurers). This was used to validate the 2018 level 1 reference, derive suitable supporting level 2 risks and to develop guidance.
We have then worked with a member advisory group to review, update and finalise the taxonomy.
During this work, several principles have been applied to develop the ORX Reference Taxonomy, namely that it should:
• Be risk event based
• Be designed to include two levels
• Be intuitive and easy to understand
• Cover the scope of – and map back to – Basel Event Types
• Be mutually exclusive and collectively exhaustive (to the extent possible)
Data in the driving seat
The data collected from ORX member taxonomies demonstrates that there are numerous equally valid approaches to risk taxonomy construction. Differences can arise because of an individual organisation’s decisions regarding both the risks to include and where to position them. These decisions are influenced by external factors such as jurisdictional trends and idiosyncratic ones, such as internal organisational structures and the businesses in which an organisation operates. Establishing a taxonomy is not a perfect science and often requires the application of common sense and compromise.
The factors above, as well as the absence of industry-wide taxonomy developments, highlight the need for ORX to enhance the reference taxonomy and develop the level 2 categories. Central to this development has been the use of the collected ORX member taxonomy data in a systematic and transparent way. Initially, data was used to validate and update the level 1 categories identified as part of the 2018 ORX study, then further analysis has been undertaken to assist in the development of the supporting level 2 risks for the enhanced taxonomy.
This analysis to develop level 2 risks involved:
• Identification of the “risk dimensions” used to describe each level 1/level 2 risk; for example, under External Fraud, level 2 risks in participant taxonomies are linked to dimensions including actor, item, product and channel
• The adoption of either the most common approach to level 2 risks or, where significant divergence was observed, using the most consistent approach to determine level 2 risks
• Review and feedback from the member advisory group of the risks where practice diverged the most
Observations from the taxonomy data
The review of participant taxonomies highlighted several themes, with some interesting and notable observations:
Increase in level 1 size and use of risk “themes”
Relative to the Basel Event Types, overall there is an increase in the number of level 1 risks in the taxonomies collected. On average there were of 14 level 1 risks versus the 7 original level 1 Basel Event Types. Another way of capturing increasing prominence in certain risk types is the increased use of risk “themes” as standalone risk categories, for example Conduct and Cyber. The increase of both level 1 risks and in the use of risk themes potentially reflects a more developed and granular approach to defining operational risk. It may also reflect the increased number of risks uniquely recognised under the operational risk umbrella.
Use of different dimensions
For several risks, participants use a combination of different “dimensions” to define their level 2 risks. This was particularly evident for Conduct – where dimensions observed relate to market integrity, products and services, as well as clients and business practices. Different dimensions were also evident for External Fraud (as mentioned in the “Data in the driving seat” section on page 7) and for Internal Fraud (similar to External Fraud). Although the combinations of dimensions used can appear illogical, this pattern may have evolved as taxonomies are developed over time, with categories being added to respond to new threats or risks, or new regulatory areas of focus. Often organisations do not have the luxury of starting their taxonomy again.
Often participating taxonomies included level 2 risks that could be classed as causes and/or control failures. Given the increasing likelihood that organisations are penalised for inadequate control frameworks or control failures, without strictly having had an event occur, this may reflect a pragmatic approach to incorporate incidents that could lead to an impact.
Divergence was evident
In addition to the observations already mentioned, there was divergent practice evident in the participant taxonomies. The widest range of practice was seen within the risks that have risen in prominence – those often described as more “thematic” than pure risks (as per the control failures observation). This included Cyber, Conduct and Third Party.
Analysis highlighted that the 60 participants take different approaches to categorising these risks. Approaches observed included the use of such categories as level 1 risks, using impact and causal taxonomies to support classification, as well as the use of flags to indicate where an event may relate to more than one risk type.
As an example of the variances observed, an event captured as External Fraud may have a cyber-attack at its cause. Depending on an organisation’s approach, this could be classified as Cyber, or as an External Fraud with a Cyber cause, or as an External Fraud tagged with a Cyber flag. A further example is a technology failure event that may impact customers. This could be recorded as Conduct, or as a technology failure with a customer or conduct impact, or as a technology failure tagged with a Conduct flag.
These variances may well have arisen due to a lack of an industry standard covering such risks. Organisations’ taxonomies have grown organically, gaining idiosyncratic features influenced by factors such as the organisation’s approach to risk management, their jurisdiction and regulator.
In the full ORX Reference Taxonomy report available, there is further information outlining the analysis undertaken on the taxonomy data and the observations set out here. Supporting this there are also deep dives looking specifically at industry approaches taken for the categorisation of Cyber, Conduct and Third Party risks and further explanation of the approach and logic applied when developing these areas in the ORX Reference Taxonomy.
Please get in touch with ORX at firstname.lastname@example.org for further information about this full report on the ORX Reference Taxonomy.
Why a reference and what next?
Given the observations and areas of divergence described for certain risks, ORX believe it is extremely helpful to publish this taxonomy as a reference. The aim at this stage is to help develop consistent industry thinking rather than provide a taxonomy intended as a wholesale standard. It is hoped the ORX Reference Taxonomy has captured the wisdom of crowds and distilled many of the successful features of operational risk taxonomies from across the industry.
It will not currently be used for the ORX global loss data exchange services. However, ORX will seek feedback from its membership, the wider industry and regulators, including understanding where it has been adopted and the results of any benchmarking work. We also intend to re-run the initiative in 12 to 18 months’ time. Updating the taxonomy iteratively will allow ORX to collect updated taxonomies and review the effectiveness of the reference, help ensure it remains relevant and inclusive of key industry risks, and monitor potential convergence towards a future industry standard.
ORX Reference Taxonomy in action
ORX will use the reference taxonomy during 2020 in ORX News. This will allow it to be tested in action and support subscribers to the ORX News service in searches and reports. We also aim to use the taxonomy in other information services and products, particularly focusing on how we analyse and report on material risks.
See page 12 for more information about ORX and our services.
Appendix: bow tie methodology
The ORX Reference Taxonomy is based on the “bow tie” method (see Figure 1), which distinguishes between causes, events, impacts and controls. These are defined as follows:
Cause: The risk causes constitute the underlying environment that allows risk events to develop. These causes therefore go beyond the immediate triggers of an event, such as control failure. Multiple causes can be mapped to an event.
Event: The risk event is the central element of the framework, and is a discrete, specific occurrence, one degree removed from the impact on the organisation or its stakeholders.
Impact: The risk event can have direct and/or indirect impact on an organisation and its stakeholders. Multiple impacts can be assigned to a risk event.