Developing a value-chain risk taxonomy
Our key topics
Related Topics
- Risk teams are data-rich but intelligence poor.
- Intelligence systematically relies on multiple data sources.
- Simplification does not mean reducing the number of risks or key risk indicators.
- Simplification means aggregation and corroboration to find what matters.
Developing a value-chain risk taxonomy
This is our second article in a series on achieving risk intelligence.
Boards and executives increasingly expect risk to deliver insight and foresight.
Why do you need a risk taxonomy?
Beyond intelligence, a risk taxonomy can deliver many practical benefits:
- It streamlines risk information. Companies can go from discussing 1,000 to 100 to 10 risks, meaningfully, without arbitrarily ‘cutting’ items to reach a ‘top 10’ list
- It shows how an organisation’s operating model and executive face off against its areas of risk (both threats and opportunities)
- It facilitates a top-down delegation of accountability and risk appetite
- It aids with risk identification by becoming a map of all the major risk areas. (If some areas are sparsely populated, this may be evidence of blind spots)
- It provides a single-page view for leaders of the entire enterprise risk ecosystem.
However, the taxonomy must align to the organisation’s value chain to enable many of these benefits. Many companies fail to optimise their approach.
Why bottom-up structures and standard categories don’t work
In our experience, organisations typically build their taxonomy from the bottom up. They start with all their known risks and aggregate into a giant parent-child hierarchy. It usually ends up aligning with generic impact categories from the risk matrix.
It does not work. The method fundamentally builds a risk taxonomy from the wrong baseline, and the organisation ends up with a structure that is very unwieldy.
The risk team spend half their time trying to manage complex parent-child relationships. And risk owners are all-too-often squeezing a square peg into a round hole when it comes to categorising their risks.
Building a taxonomy from the top down totally changes your approach. It means you create a custom, pre-determined structure, which all your data can be aggregated into.
How to map taxonomy to value chain (and values)
So, what exactly do we mean when we talk about mapping a taxonomy to a value chain?
First and foremost, it means creating categories that align to the major commercial areas or stages of the business.
Secondly, the risk taxonomy includes ‘enabling risk categories’. These align to the organisation’s values and ways of doing business.
Both of these types of categories should then naturally connect with the organisation’s authorities and executive accountabilities.
This becomes easier to understand if you look at the taxonomy example provided below.
Taxonomy example 1 – top categories and accountability
We recommend companies aim for ~8 – 12 top categories.
The below shows just the top categories in a generic mining company’s risk taxonomy.
The first half of the taxonomy (from left to right) contains value-chain categories, which align to the commercial activities and stages of a mining company.
The aim is to try and ensure these categories reflect executive accountabilities as closely as possible – and assign the categories accordingly. (Ask: “who would you expect to set appetite and company-wide standards for this category?”)
The second half contains value-based categories, which are more ‘generic’ (although still reflect sector or company priorities). Again, these should be sufficiently important to the company that they clearly align to an accountable executive.
Two owners for one category is possible in our methodology. On the other hand, where there seems to be no clear owner – or everyone could be an owner – establish a ‘best fit’ and note this on or near the taxonomy.
Taxonomy example 2 – sub-categories
We recommend companies aim for ~5 sub-categories per top category.
For the most part, sub-categories should be consistent in terms of the level of granularity versus aggregation. Each sub-category should be a ‘bucket’ of risks, with multiple types of underlying events.
If a sub-category only contains one specific type of risk, it may be too granular.
The notable exception is when sub-categories or risks are so significant at a group scale that they need to be explicitly named (such as ‘Tailings management’ in the ‘Technical’ category below).
Again, our generic mining example illustrates sub-categories in practice.
Next steps: risk appetite for leadership
Once the value-chain risk taxonomy is complete, it can be put to work for a variety of uses. Follow our LinkedIn page to read the next post in our Risk Intelligence series.
We will show how companies can bring risk appetite to life with the risk taxonomy, connecting it to both leadership and strategic objectives, and operational practicalities.
At PAGER, we provide Advisory support and an AI Technology platform to help organisations transform their enterprise risk value.
Contact our founder, Anthony Reardon, if you would like to learn more.
Where to next?
Dest autecto iume od quam deritat porem fugiasp
iciuntiam eum nam is expedit quae occab inulparum
ium sectur, aliaspe ratinve nimolorit eturibu sapitib
usdaect oreroviti quae sum quibus.