Risk Categorisation – your FAQS answered
Sword GRC Blog
Risk Categorisation - your FAQS answered
According to the Institute of Risk (IOR), “A workable risk taxonomy – often referred to as risk categorisation – can be regarded as the foundation upon which an effective operational risk management framework is constructed. Without this common frame of reference for risk information, there will be no clear basis for monitoring, reporting, or meaningful action.”
What are the main types of risk?
In its ‘Operational Risk Categorisation’ white paper, the IOR summarises the key risk types to which organizations are exposed as Credit, Liquidity, Market, Operational, Reputation, and Strategic. Its guidance states that these risks exist within a wider organizational context – exposures and events may overlap, and events in one risk type may in knock-on effect, cause risk in another.
What are the benefits of categorising risks?
Putting risks in categories demarcates them from other risk types and provides a useful way to determine where the greatest concentration of threats lie. Categorisation enables the determination of common risk causes. And importantly, it can help you develop appropriate risk responses.
The four core benefits are:
Identification – with a ‘menu’ of possible risks, an organization can determine which ones are relevant to its departments or activities, thus preventing potential risks from being overlooked.
Measurement – consistency in terms and descriptions means that operational risks can be compared and data amassed.
Monitoring and reporting – with a common frame of reference, the output of an operational risk management framework can be analysed better; resources can be allocated to the most significant operational risks, compare risk exposures across the business and set appropriate targets and thresholds.
Control – different categories of risk may demand very different control responses. With categorisation, customised control strategies can be developed.
Should staff at all levels be comfortable with risk categorisation?
Yes, personnel organization-wide should be able to understand the risk categorisation descriptions used and the categorisation must support them in their roles. Initially, a draft consultation is recommended, inviting comments from all involved in the use of categorisation.
How often should a categorisation framework be reviewed?
Periodic review is advised since business operations and their associated operational risks are subject to change. New risks may emerge and gaps may become apparent, so to ensure validity, an annual review is recommended.
Is designing an operational risk categorisation framework complex?
The guidance explains that great care should be taken when considering framework design, as errors can make it difficult to use, inefficient, or mean that risks are overlooked. Since operational risks are a combination of causes, events, and effects, a framework may be based on any one of these three facets, though event-based categorisation is the most common.
Does the IOR have a view on which basis for categorisation is best?
The IOR favours event-based categorisation, recommending that where possible, high-level sub-categorisations for their causes and effects are used to complement event-based categorisation. This enables an organisation to better link causes, events, and effects and to identify and mitigate potentially dangerous patterns.
What other factors should be considered in the framework design stage?
The advice is to ensure that the design of the categorisation is appropriate, proportionate, and with level 1 granularity, at the most level 2. Consistency and clear and unambiguous explanations for each category of risk should be used. The framework should be relevant to all parts of the operation and be structured in a way that consistent with activities and objectives. And including an ‘other’ category is best avoided – should a new category of risk emerge it should be added to the framework.
How best do I go about implementation?
With guidance spanning everything from primary users’ roles and responsibilities and the key factors that should be considered for successful framework implementation, to common challenges that may arise and how to overcome them, the white paper is essential reading.
Be sure to download your FREE copy of ‘Operational Risk Categorisation’ Operational Risk Sound Practice Guidance now.