Skip to content


Risk Management Community

Risk programme

Management, Practice & Framework

Resource explorer

Explore all ORX’s risk management resources and risk framework materials using this interactive explorer. This tool allows you to easily find ORX resources on risk management cycle stages and the wider risk framework.

The interactive explorer brings together resources from ORX Membership, ORX Cyber, ORX News and ORX Scenarios. You will only be able to access them if your firm subscribes to the relevant service.

To find resources, click on the risk management cycle element that you would like to read related resources for. To quickly navigate through the page, you can also use the contents on the left. 

Interactive Risk Management Resources Explorer

ORX Risk Management Explorer

Stage 1. Risk Identification

Risk functions identify areas that could negatively impact and cause challenges for the firm, such as disruption of its day-to-day operations, or that could pose further risks to the organisation. Both internal and external factors are considered to analyse threats and to ultimately identify individual risks facing the firm. Risks are categorised by type and level of granularity within a taxonomy.

Stage 2. Risk Analysis

Following the identification of the risks facing the firm, risk functions analyse and assess the risk using an impact and likelihood scale, also known as a 'Risk Assessment Matrix', which allows risks to be scored, ranked according to risk rating or score, and prioritised. Risk assessment allows a firm to better understand its risk profile and the potential impacts a risk could pose if it materialised.

Tools and information used for both risk identification and risk assessment include internal and external loss data, risk and control self-assessments (RCSAs), control monitoring, metrics, scenario analysis, and benchmarking or comparative analysis.

Stage 3. Risk Evaluation

Following the assessment of a risk’s potential likelihood and impact, the firm evaluates the risk’s likelihood and impact against its risk appetite. This may be a firm-wide risk appetite statement (RAS), or a RAS set for this specific risk type. Evaluation against appetite establishes whether this potential risk is within a firm’s appetite and could be tolerated, or whether this risk would breach the RAS and therefore action should be taken, including either risk treatment or risk acceptance. 

Stage 4. Risk Treatment

Once a risk has been evaluated against risk appetite, the firm will determine whether actions are required to mitigate against the risk from occurring. Firms employ various control measures to prevent an operational risk occurring and safeguard the organisation, known as preventative controls. If an operational risk event materialises, firms can employ additional controls to mitigate said risk and minimise the impacts of the event on the firm.

Internal controls minimise risks and protect assets, ensure accuracy of records, promote operational efficiency, and encourage adherence to policies and regulations. Internal controls may be preventive or detective, automated or manual, and all of these are impacted by people. Alternatively, the firm may decide to accept a risk and not introduce further controls. 

Stage 5. Risk Reporting 

The risks faced by a firm, as well as changes to said risks and the firm’s risk profile, are reported to senior management and the board to facilitate decision-making processes. Stakeholders across the organisation require timely and accurate reports on the state of the operational risks the firm faces in order to manage those risks. Risk data must also be reported to regulators to meet regulatory requirements.


Risks are monitored via risk indicators through an ongoing risk assessment to determine any changes to a firm’s risk profile over time.

Risk Framework & Governance

Operational risk frameworks vary between financial institutions as there are several areas to consider when firms decide how to treat operational risk. The broad over-arching concepts that govern a firm’s overall approach to operational risk are:

  • Governance
  • Risk appetite
  • Operational resilience
  • Culture

Governance is a key aspect of operational risk management for firms and typically includes oversight from the institutions’ Board, as well as senior leadership elements.


Risk Appetite

Risk appetite can be considered from different perspectives. On one hand, at the Board level, risk appetite concerns a firm’s willingness to take risks in order to achieve its corporate objectives, whereas at a business unit level, risk appetite is reflected in the reaction of management when excessive risks arise. Determining the operational risk appetite should be a key priority for the firm, as it allows it to subsequently identify the optimal amount of risk to take in pursuit of its objectives.


Internal operational risk culture is taken to mean “the combined set of individual and corporate values, attitudes, competencies and behaviour that determine a firm’s commitment to and style of operational risk management”, according to the Bank of International Settlements. Generally speaking, culture is established through the 'tone at the top' by the board of directors and senior management, and then fostered throughout the organisation.

Culture is both a source of strength and weakness when it comes to the management of operational risk; an appropriate risk culture will ensure that staff accept the importance of effective operational risk management and behave in a manner consistent with the organisation’s operational risk policies, procedures, and appetite. Conversely, an inappropriate risk culture can be both a cause of operational risk events themselves, as well as and a mechanism for intensifying the impact of operational risk events.

Risk Taxonomy & Reporting Standards

A risk taxonomy is the categorisation of risk types, typically in a hierarchical tree structure, whereby risks nearer the top of the hierarchy are split up into more granular manifestations further down. Firms typically categorise their operational risk events according to an event type taxonomy. In some cases, firms will categorise their operational risk events according to more than one taxonomy – this may be due to regulatory guidance on data reporting requirements or other factors.

To support our community and help the industry respond to the emergence of new risks over the last decade (such as cyber, conduct, and third party risks), we developed an Operational Risk Reference Taxonomy. This taxonomy provides a wider variety of risk types compared to Basel II. The ORX Reference Taxonomy is made up of a taxonomy for risk event types, and one for causes and impacts. 


All firms will have systems and processes in place for storing information relating to the risk management framework, one key example being the Governance, Risk, and Compliance (GRC) tool. Some firms may have highly integrated and automated systems and tools, while others may use different systems for specific uses. 


Matt Glinister

Matt Glinister

Head of Risk Management, ORX

Natasha Smith-Craig

Natasha Smith-Craig

Assistant Research Manager, ORX


Get in touch

Contact ORX to see how we can support operational risk management at your firm.