Building a Risk Taxonomy: Finding What Matters
Steven Minsky | March 8, 2012
Risk taxonomy is the framework of naming, organization and managing the relationships to manage your risk information. Your ERM program and any Enterprise Risk Management (ERM) software you use depends upon it.
Most organizations have an organizational chart of how their people are connected. To be effective in risk management, organizations must also have an organizational chart of how their business processes are connected to create accountability and focus on business value.
The first step is to name, categorize and connect your business processes and sub-processes.
WHY: Establishing business process level accountability for risk: The foundation for enterprise risk management is identifying an organization’s business processes and recognizing the owners as accountable for risk vulnerabilities, compliance and performance goals.
Because all business activities are within business processes, all risks and mitigation activities also fall within processes. Therefore, defining processes is the first step in leveraging efficiencies and creating transparency for risk management, compliance and business performance improvement.
WHAT: Focusing on business value with Performance Management: A business process is a set of coordinated tasks and activities that lead to accomplishing a specific organizational goal. Business processes include customer facing areas, those providing support functions as an internally shared service, or areas performed by an outsourced partner.
End-to-end processes consist of multiple levels of sub-processes. The level of granularity, meaning the extent to which processes are broken down into smaller processes, evolves over-time. You may choose to get granular in areas of greater priority to the company and fill out the others over time.
WHERE: Consolidating existing risk assessment templates: Business Processes names, structure and their owners are typically already known within an organization and maintained by various functional areas such as finance, internal audit, HR, business continuity, process improvement, quality management, or other departments. There should be only one way to call and organize business processes enterprise wide, otherwise known as a taxonomy or naming convention. The ERM team has the responsibility to locate these lists and agree on a common single naming convention for the enterprise.
- Business Process Owner: the individual(s) responsible for process design and performance. The process owner is accountable for sustaining the gain and identifying risk and future improvement opportunities on the process.
- Risk Owner: the individual who is accountable for the validation, assessment and action plan to care for particular risks within the process.
The Process Owner is typically the risk owner. When is this not the case? When the business process is outsourced. Activities can easily be outsourced, but the ownership for the risks within such activities can never be outsourced and must remain managed within the organization. The next step in building a risk taxonomy is managing resource allocation, the naming and categorizing of all the key people, systems, and vendor products and services used by these business processes.