Aggregating into a risk taxonomy
Our key topics
Related topics
- Aggregation is the key to unlocking risk intelligence.
- For aggregation to work, companies need a structure to aggregate into. This is the risk taxonomy.
- Yet, so often, risk taxonomies don't add value. They are constructed from the bottom up and disconnected from value-chain, operating model and executive authorities.
- Our top-down approach flips this on its head and will deliver you an aggregation structure that instantly comes to life.
Aggregating into a risk taxonomy
This is our second article in a series on achieving risk intelligence.
Boards and executives increasingly expect risk to deliver insight and foresight.
Risk teams are often data-rich but lack a clear method to turn this data into intelligence.
In our first blog on achieving risk intelligence, we outlined why risk aggregation is the key to unlocking risk intelligence.
In this blog, we explain how to achieve practical aggregation.
Why do you need a risk taxonomy?
For aggregation to work, companies need a structure to aggregate into. This is the risk taxonomy.
A good risk taxonomy can deliver many practical benefits. Some of the main ones are:
- Unlocking bottom-up aggregation of risk information. From 1,000 to 100 to 10, risks are linked for focus on the right level of risk and the right level of management, without arbitrarily ‘cutting’ items to reach a ‘top 10’ list.
- Communicating top-down delegation of risk appetite. Allowing simple communication of where the board expects tightest control and prioritisation of risk resources, and where they allow greatest flexibility and freedom to innovate, and the spectrum in between.
- Setting clear authorities and accountabilities for risk. Showing how an organisation’s operating model and executive team faces off against all the key areas of risk (both threats and opportunities).
- Showing the big picture, before zooming into the detail. It provides a single-page view for leaders of the entire enterprise risk ecosystem. This lets them see what they are not seeing before zooming into areas of focus.
However, the taxonomy must be built well to unlock these (and other) benefits.
Why bottom-up structures and standard categories don’t work
In our experience, organisations commonly build their taxonomy from the bottom up. They start with all their known risks and group them into parent-child hierarchies.
This method fundamentally builds a risk taxonomy from the wrong baseline.
The organisation ends up with generic groups of risks that do not reflect the unique nature of the business. And the risk team spend their time trying to build and maintain complex parent-child relationships that don’t add value.
The end result is a taxonomy that does not enable risk intelligence.
How to map taxonomy to value chain (and values)
To be effective, the risk taxonomy needs to be built top down rather than bottom up.
Put your risk register aside! Instead, establish the major areas of risk taking (both threat and opportunity) aligned to 3 key things on a top-down basis:
- Your value chain. This is the macro steps and group of activities your business performs to progress from raw inputs to final output (products and/or services).
- Your organisational values. This is the core beliefs and principles that your company cares about in how you generate value.
- The operating model. This is the assigned authorities and accountabilities of your executive team.
When you get this right, it will immediately reflect your business. It will no longer be a generic grouping of risks disconnected to the business.
Only once you have built your taxonomy should you then bring in your risk register.
When you index each risk into the taxonomy categories, you will be amazed at how much it reveals about the blind spots in your risk knowledge.
This becomes easier to understand if you look at the taxonomy example provided below.
Taxonomy example 1 – top categories and accountability
We recommend companies aim for ~8 – 12 top categories.
The below shows just the top categories in a generic mining company’s risk taxonomy.
The first half of the taxonomy (from left to right) contains value-chain categories, which align to the commercial activities and stages of a mining company.
The aim is to try and ensure these categories reflect executive authorities as closely as possible, so that you can assign the categories accordingly. (Ask: “who would you expect to set appetite and company-wide standards for this category?”
The second half contains organisational-values categories, which are more ‘generic’ (although still reflect sector or company priorities). Again, these should clearly align to the authorised executive.
Taxonomy example 2 – sub-categories
We recommend companies aim for ~5(+/-) sub-categories per top category.
For the most part, sub-categories should be consistent in terms of the level of granularity versus aggregation. Each sub-category should be a ‘bucket’ of risks, with multiple types of underlying events.
If a sub-category only contains one specific type of risk, it may be too granular.
The notable exception is when sub-categories or risks are so significant at a group scale that they need to be explicitly named (such as ‘Tailings management’ in the ‘Technical’ category below).
Again, our generic mining example illustrates sub-categories in practice.
Next steps: risk intelligence and appetite
Once the value-chain risk taxonomy is complete, it can be put to work for a variety of uses.
You now have the basis for practical aggregation, which is the pre-cursor to risk intelligence. You also have a simple structure to set and communicate risk appetite that is linked to your knowledge of risk exposure.
Follow our LinkedIn page to read the next post in our risk intelligence series.
Next, we will share a case study of how this approach has been a game-changer for a leading steel manufacturer.
Then we will share how companies can bring risk appetite to life with the risk taxonomy, connecting it to both leadership and strategic objectives, and operational practicalities.
Get in touch
At PAGER, we provide Advisory support and an AI Technology platform to help organisations transform their enterprise risk value.
Get in touch if you would like to learn more.