A risk taxonomy, the brains of an enterprise risk management software platform, creates a common language to make working across operational silos possible. It also creates the basis for a risk management discipline, so rather than reacting to seemingly “one off situations” the entire organization can standardize and prioritize how assessment, mitigation and monitoring are applied in a common comparable way to build risk management competency across the enterprise.
See our other blogs Identify Core Business Processes and Link Resources to Business Processes that explain steps 1 and 2 of building your risk taxonomy.
- Standardize assessment criteria and weightings for your Enterprise Risk Assessment Template – Common standards and assumptions makes information collected across the organization objective, quantifiable and comparable, enabling better analysis, issue resolution and issue escalation when necessary.
- Rationalize and consolidate risk assessments and data fields – Different areas across the organization are collecting the same information for resources, they just don’t know it. For example, Accounts payable, contract management, vendor management, business continuity, and IT all collect overlapping information about your vendors. By understanding what information is being collected by these areas for each resource, you can easily rationalize and consolidate assessments and data fields. You can gather information across silos and identify areas where controls and tests can be consolidated.
- Make resource allocation available in a central place as a library – Using information from one common place makes it possible to dramatically reduce rework, especially collecting and managing information, for both you and the process owners you work with.
- Formalize risk identification of resource dependencies to each other – The library also helps you know who else is connected to the same information. The key is to figure out how all of these resources are related to each other and what combination of these resources are most important to critical areas of your business.
By connecting activities, or controls, to the vendors and other resources that activity relies upon at the business process level, the process owner and the activity owner can now be notified when resources change, both directly and indirectly, related to their areas of concern. This is a major contributor to business performance management and the value add of enterprise risk management.
Typically people in organizations only know one degree of separation in relationships. A risk taxonomy enables you to recognize all the relationships and notify appropriate related parties on changes, both direct and indirectly related to their area, so no one misses the “memo.” Direct relationships are always known, it is the indirect relationships that are more problematic and hard to control.
Look at BP for example, the vendors were not in connection with each other or the processes owners involved. People were missing key pieces of the “memo” reporting that there were issues, so no one could put the puzzle together. In days were outsourcing of vendors and activities is becoming so extensive and complex, how do you maintain the connections between the risks encountered by your vendors and your business risk and control owners throughout the organization?
Why did the CEO of BP get fired? Lack of establishing effective monitoring of risk!
By building a risk taxonomy to define resources and their relationships, along with implementing common standards and assumptions across your organization, everything becomes comparable and objective — everything is on the same scale. You can analyze, report, and make decisions taking into consideration every relationship related to the resource or process across the organization. This is how risk tolerance is aggregated and matched to the organization’s risk appetite!