Taxonomy - November 2020
Building on the Event Type Taxonomy to cover cause and impact categories
Following the development of the ORX Event Type Taxonomy in 2019, it became clear to us that complementary cause and impact categories would support the understanding and use of the taxonomy. By covering the cause-event-impact ‘Bow Tie’ model, we could provide a more insightful view of how financial organisations can apply the operational risk taxonomy in practice.
So, applying a similar methodology to that used in our previous work, and again supported by Oliver Wyman, we've created the Cause and Impact Operational Risk Reference Taxonomy. This taxonomy consolidates the information collected from 50 financial services firms into a single view of causes and impacts. We've also created guidance to help you use the taxonomy to its fullest advantage.
The Cause and Impact Taxonomy complements the Event Type Taxonomy. Together, these two resources make up the ORX Reference Taxonomy. In line with our mission to improve operational risk management throughout the financial sector, we've made summaries of both taxonomies freely available. You can also purchase guidance to help you use the taxonomy.
"The taxonomy can be used as a key reference to benchmark against and to observe industry trends. We haven’t created the taxonomy as a standard specifically intended to be adopted wholesale. Instead, you can use our taxonomy to help develop your organisational taxonomies and to provide industry evidence to support change. Our hope is that the ORX taxonomy will allow firms to accelerate their thinking."
Mark Cooke, former ORX Chairman and former Group General Manager at HSBC
About the Cause and Impact Taxonomy
Definitions and examples to support understanding of the cause and impact categories
“Our strategic priority was to create a common point of reference for operational risk taxonomies, laying the foundations which allow industry debate and consistent industry sharing of insights and data going forward."
Simon Wills, Executive Director, ORX
Using data from our member firms as the key input, we've developed reference cause and impact categories to level 2. The Cause and Impact Taxonomy provides definitions and examples to support understanding of the cause and impact categories, while the guidance helps you better understand how to use it.
Data remains in the driving seat
In our full report on the Event Type Taxonomy, we discussed that many organisations have divergent taxonomies even though they are often evolved from the Basel Event Types. This is particularly true for the more contemporary risks (such as information security, third party and cyber). Similarly, we saw the same pattern with the cause and impact categories collected in 2020.
The causes are often based on the original Basel definition of operational risk (people, process, systems and external). And, there is a core set of financial impacts observed, which is often aligned to regulatory and accounting standards. However, organisations have also evolved these categories over time, reflecting changes in their risk profile, businesses, and regulatory environment.
Top-level observations from the data
A continued link to Basel
The data shows a clear link with the Basel definition of operational risk (considering people, process, system, and external factors). The majority of the cause categories contain these four categories, with some of the taxonomies that were shared containing an augmented number of level 1 categories.
Impact categories have evolved beyond financial
Whereas there is a relatively clear set of common financial impacts, driven by regulatory and accounting standards, only a small percentage of our member organisations who shared their data exclusively use financial categories. There is a diverse set of non-financial impacts along two leading dimensions
- Impact channel – i.e. how the organisation is impacted (e.g. its reputation is tarnished)
- Stakeholder group – i.e. who is impacted by the operational risk event (e.g. customers of the member)
Guidance, definitions and deep dives
To help you get the most from our updated reference taxonomy, we’ve also created guidance and supporting documentation. The guidance is free for ORX members and available for non-members to purchase alongside the complete ORX Operational Risk Reference Taxonomy.
The guidance includes examples and provides more detail about the taxonomies and how you can use them. It gives you detail on each level 1 risk, explains how to use flags and risk themes to add further context and insights to your data, provides information and definitions for specific cause categories and more.
New guidance added in 2023
In 2022, we ran a survey with our members to see how they're using the taxonomy and identify where we could provide further support to our community. Based on this survey, we've republished the Cause and Impact Taxonomy with additional guidance on:
- Third party failure
Gated content start
Want to access the Cause and Impact Reference Taxonomy?
This resource was produced as part of ORX Membership. If your firm is a member of ORX, log in or register to instantly access this resource for free.
Not a member? You can download a free version of the taxonomy or purchase the full taxonomy and guidance.
Gated content stop
Disclaimer: ORX has prepared this resource with care and attention. ORX does not accept responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice, statement or recommendations in this resource. ORX shall not be liable for any loss, expense, damage or claim arising from this resource. The content of this resource does not itself constitute a contractual agreement, and ORX accepts no obligation associated with this resource except as expressly agreed in writing. ©ORX 2023
Research and Information Director, ORX
Head of Risk Management, ORX