On 6 June 2024 the European Banking Authority (EBA) launched a consultation on operational risk loss data collection. This includes consulting on a new draft risk event taxonomy. 
Why is it significant
This consultation is the first effort by a globally significant regulator to develop a more contemporary set of operational risk event types since the Basel Event types, which were first written down more than 20 years ago.
Over that period there has been a substantial change in the operational risks that the financial services industry faces. Risks such as conduct, cyber and third party have risen in importance, and now dominate boardroom agendas. How organisations think about this expanding portfolio of threats, and manage them in a consistent way, is underpinned by their risk taxonomy.
Back in 2018, we noticed a growing industry desire to update internal risk taxonomies. This led us to publish the ORX Reference Taxonomy, and our subsequent work on reference standards.
We welcome this move for a refresh by the EBA. However, we firmly believe that in the circumstances where concurrent taxonomies are required, it is extremely important for all industry participants that there is as much consistency as possible.
We believe a push for greater consistency (and narrower divergence) in standards, in practice, and within regulation requirements, is a critical foundation to enable the efficiency and innovation that the industry will need to manage the risks of the future.
What you need to know about their plans
In addition to the event types, the EBA has proposed additional flags or attributes to capture themes that cannot otherwise be easily captured.
Key features of the EBA’s proposed taxonomy include:
- Keeping the existing seven Basel II event types at Level 1
- Introducing 38 new Level 2 event types aligned to the existing Level 1 structure
- More granular Level 2 event types included such as data privacy breach or intentional sanctions violation, reflecting current risk management priorities
- 19 flags or attributes proposed, to be assigned to all applicable events, covering aspects including market risk, environmental, social and governance (ESG) risks, and greenwashing risk
Following the opportunity to speak to the EBA in 2023, we are pleased to see a significant degree of alignment to the ORX Reference Taxonomy, as well as the use of the flag, or attribute, concept.
Focus of the consultation
The consultation will ask firms about the proposed taxonomy, including its granularity and the challenges of identifying events attributable to some of the proposed flags. The EBA has also asked about the feasibility of mapping three years’ loss history to the new taxonomy.
In addition, the consultation will cover:
- A draft Regulatory Technical Standard (RTS) on conditions under which it would be unduly burdensome for a firm with a business indicator (BI) of between EUR 750 million and EUR 1 billion to calculate the annual operational risk loss. Most ORX members are likely to have a BI greater than EUR 1 billion.
- A draft RTS on how to adjust a firm’s operational risk loss data set following the inclusion of losses from merged or acquired entities.
Reponses to the EBA close on 6 September 2024.
Next steps
ORX will shortly be collecting member views on the Consultation Paper and will respond directly to the EBA. As part of the response, we will consider our own experience in developing the ORX Reference Taxonomy
We will also conduct a full mapping exercise to evaluate how the EBA proposed taxonomy could be generated from the ORX Reference Taxonomy for event types. Based on a high level initial evaluation, the great majority of ORX Reference Taxonomy Level 2 event types map to a corresponding EBA taxonomy Level 2 event category, either on a one to one or many to one basis.
trueYou need to be an ORX member to continue reading this blog
Not an ORX member? Talk to us today to discuss how you could join the ORX community.
