One of the great benefits of enabling an Enterprise Risk Management program is the ability to see and consistently manage risk regardless of where it resides within the organization. Consistent risk management is dependent on a lot of different things but foundationally, the organization must agree on certain key terms and these terms must be clearly communicated to management and the board of directors, and routinely reinforced in risk discussions and as management turnover occurs.
An organization’s risk taxonomy is the language of how the organization talks about risk. Identifying, measuring, deciding, treating, and monitoring risk cannot be done consistently without agreement on the definition of the following terms:
- Risk – How does the organization define risk and does it include both negative events and the cost of opportunities forgone?
- Categories of Risk – What are the risk categories that the organization wants to consider in its discussion of risk and how are they defined? Risk category examples include market, credit, liquidity, operational, compliance, strategic, reputation, etc.
- Internal Control – What is the definition of an internal control, how is it constructed and classified (manual, automated, preventive, detective, etc.)?
- Inherent vs. Residual Risk – Will both of these terms be used?
- Loss Event – What constitutes a loss event or near miss and in what categories will losses be captured and catalogued?
- Risk Assessment – What are the acceptable methods for assessing risks: qualitative, quantitative, modeled, and under what circumstances is it acceptable to use each method? Will assessments consider likelihood / probability, frequency, impact, or other variables? Will risks be assessed on a discreet or systemic basis or both? How must the assessments be documented?
- Risk Appetite and Risk Tolerance – What does risk appetite and tolerance mean to the organization and how should risk decisions be made within the context of risk appetite and tolerance?
- Risk Rating Scales – Has the organization chosen a risk rating scale such as high, medium, low, 1-5, and/or monetary scaling? For whatever scale has been selected, what is the definition of high, medium, low, 1-5, etc. Are these scales aligned to the definition of materiality used in the company’s financial statements? Are the scales consistent with how the company’s regulator evaluates the company?
- Policy, Procedure, Regulation, Obligation, Rule – What do these terms mean to the organization?
While it is essential that an organization have an agreed upon taxonomy to consistently manage risk, organizations should consider externally aligning their taxonomy. There are great benefits of an organization aligning their risk taxonomy with common standards such as ISO 31000 or COSO, the taxonomy used by their regulatory bodies, and the taxonomy used most often by its customers and partners. The broader the agreement an organization and its constituencies have about risk, the more efficiently and effectively risk can be managed.
Optimally, terminology should be formalized as part of the organization’s risk management practices, approved by senior management and the board of directors, communicated to all stakeholders, and field names and reports in the risk management and governance tools used throughout the organization standardized on these terms and definitions.
I would be interested in hearing from others on this subject and whether there are other terms and definitions that should be included in this list of essential risk management taxonomy. In later blog entries I will discuss some of the other factors that contribute to a good risk management program.