In this second blog exploring our journey to develop industry standards for operational and non-financial risk (ONFR), I share six key lessons we learned along the way. We've gained valuable insights which can help you develop or improve your own standards.
Before I begin, this blog is the second in a two-part series. To understand the background to our work on standards, please read the first blog.
Our work on standards, taxonomies and references has been well received but I’d be lying if I said it had been easy! Whether you are progressing with developing your own standards or are looking to enhance what you already have, hopefully the following top tips are helpful.
Six top tips for developing operational and non-financial risk standards
1. Engage your stakeholders, engage them early
We wouldn’t have been able to progress our journey without significant input from our members, whether sharing data, participating in roundtables, or joining our advisory panels to help design the approach to developing the standards and libraries and then providing extensive challenge.
Members have consistently reported that engaging a cross section of stakeholders from both the first and second lines of defence, as well as from areas of risk expertise helps derive the most robust outputs and ensures stakeholders are bought in to using them. Success is strongly correlated with effective collaboration.
2. Agree pragmatic design principles
Agree a set of pragmatic design principles that guide the development or review of a standard. This can include definitions, how many levels the standards will contain, the scope etc. Such principles help to provide a reference point for design and construction decisions as standards are developed or changed, particularly helping to ensure coherence and to resolve disagreements.
3. Governance
We used our advisory panel to help agree each of the standards, both determining how the standards should be constructed and then extensively reviewing the draft outputs to ensure the standards are robust and usable.
Across the industry, we hear positive stories of standards being subject to review and change control through governance forums to ensure an organisation can control the standards against their own design principles. The idea to ensure they remain true to these design principles, whilst remaining contemporary and meeting the needs of stakeholders.
4. Bring an external perspective
Key to the development of the ORX reference standards has been the use of member data. This has ensured they reflect industry practice and today’s business and risk environment.
As we constructed and finalised the standards, we used a range of techniques to ensure they are fit for purpose, this included reconciling to other external frameworks, for example COBIT and NIST, working with a partner who can bring wider risk domain and business expertise, and using representative member advisory panel, bringing real industry expertise together.
The ORX reference standards are absolutely intended to help bring an external perspective to the development of your own standards. Peer organisation interactions, expert support and use of wider frameworks can also bring significant benefit. As I stated earlier, we believe the use of standards and libraries are an incredibly important foundational requirement of a successful ONFR approach, getting them right is key.
5. Leverage technology
When I look back over the last five years, the use of technology has been an increasingly important factor in the development of the ORX work, particularly when faced with large and diverse data sets. For the control library, we used an LLM to help organise member data. This helped create the first versions, bringing together similar themes and aligning controls to risks for review with experts. For the Reference Process and Services Library, we used a proprietary GenAI model to accelerate development, enabling early delivery of the work.
We do hear that members are leveraging technology in a similar way to support their standards work. Examples include (re-)categorising data, mapping data to wider taxonomies (such as ORX or Basel) or even grouping their own granular data to form the basis of new standards or libraries (e.g. control data to form a control library). There is also opportunity to use technology to help review data quality and to drive analytics. The speed of development and easier access means all should embrace and experiment technology, it can be a huge help, and really accelerate progress.
6. Test, guide and use
My final recommendation is to test or pilot a new or changed standard. It really is beneficial to do this using synthetic or a smaller population of existing data to ensure they are fit for purpose. We used ORX News event data to test the ORX Risk Taxonomy, re-categorising and demonstrating the taxonomy worked. Guidance has also been critical to the success of the ORX standards and libraries. It is important to explain how they should be used and to clearly define the categories. This helps drive consistency in understanding and application.
Use of the standards is also critical, apply them across your framework, use them to drive risk conversations, actions, analysis and insights. We have endeavoured to do this across our services and products, for example in the Top Risk reviews we conduct every six months. We will also implement the taxonomy within the ORX loss data later this year, enabling us to enhance the insights we are able to present to members.
Our plans for 2025
Although we have now completed the development of our current set of standards, taxonomies and libraries our work doesn't stop here. These are just some of the ways we'll continue to develop and build on them this year.
Integrating the standards
We will link the control and indicator libraries and will explore how we connect the process and services library to risks and controls.
New data and insights
We will incorporate the ORX risk taxonomy into the loss data as part of launching the new data exchange system - Agora. This will allow us to bring data together and provide meaningful risk management insights, an ‘outside in’ view for members.
New services
We will identify opportunities for members and subscribers to share new data and insights, for example sharing and benchmarking control data.
Keeping the standards and libraries up to date
We will develop a method for reviewing and, where appropriate, updating the standards and libraries.
Stay up to date
Follow us on LinkedIn, sign up to our newsletter or keep an eye on our websites for updates about these activities and more. If you have any questions, please do get in touch with us.
How you can access ORX's standards
Our entire series of standards, references and taxonomies is available to all ORX members, while ORX Lite subscribers can access the taxonomies and guidance. Our Banking Operational Risk Reporting Standards and Insurance Operational Risk Standards are both available to download for free.
If your firm isn't a member, then you can also purchase the three reference libraries and two taxonomies either individually or as a package.
