Three steps for creating an enterprise risk taxonomy

Kin Ly
2 min read
Feb 3, 2021

There are numerous benefits to creating an enterprise risk taxonomy for an organisation, but where would you start in taking on such a complex exercise?

That was exactly the topic of conversation at our recent virtual roundtable on risk taxonomy, where our members openly discussed the various challenges and triumphs they experienced on their way to building an enterprise risk taxonomy.

They all had different reasons for either building or rewriting their taxonomy. Some wanted to simply create a 360 degree view of their organisation’s risk profile while others were looking for the assurance that their organisation is thinking broadly enough about risk.

All of them, however, were looking to establish a common risk language that would help them to enhance the flow of information around their organisation and improve their overall enterprise risk management processes and procedures.

But while these reasons and benefits may be varied, the members who took part in our discussion were all in agreement as to the best way of establishing a new risk taxonomy, and here are the steps they came up with for making the process as effective and efficient as possible.

1. Mapping the value chain

You should break your organisation down into the different steps that make up your specific value chain in order to highlight areas under which risk categories can be built, with sub-categories sitting under these macro-level categories.

Between eight and twelve level one categories, depending on the size and complexity of your organisation, is ideal, with each of those categories having between three and five sub-categories underneath them.

You should always focus on the causal categories that make up your taxonomy first, as these causal relationships often act as a driver for all the other risks within your organisation.

2. Aligning your categories

Once you have mapped out your value chain and the corresponding risk categories, you need to ensure that the taxonomy is also aligned to your organisation’s values and corporate structure.

Categories such as health and safety, environment and community, and legal and compliance are often particularly reliant on values, and the importance of this step of the process cannot be underestimated.

Ensuring that your organisation’s values and corporate structure are firmly embedded into the enterprise risk taxonomy will create a network of ownership and responsibility that ensures that the taxonomy is used for maximum organisational benefit.

3. Piecing the jigsaw together

Once you have confirmed the categories and sub-categories that make up the draft taxonomy, you must analyse them for any gaps or overlaps in the framework.

Any gaps represent an under-representation of risk within the taxonomy, and appetite needs to be increased in that area, while concentrations of risks represent a high level of risk exposure.

This mapping of risks also allows you to get the right level of people within the right area of the organisation.

Having this correct level of oversight is when you will also get an aggregate understanding of your risk, which will in turn allow you to make really informed decisions about prioritisation of company resources.

We will be running more virtual meetings on risk taxonomy looking at common pressures and roadblocks and how do you overcome them; how to successfully implement the newly created taxonomy into the organisation. To find out more, contact me on:

Are you an in-house risk manager who could benefit from collaborating with a global network of risk leaders? Talk to us about becoming a member today.

Get new posts by email