Getting a Risk Taxonomy in place can be a challenge for any firm starting from scratch or developing its existing framework. Firms can agonise over it and the poor soul coordinating can have a hard time capturing all the feedback. Getting it perfect is almost impossible and the trick is to develop it as a firm goes along its risk journey. But there are pros and cons of the different options available to a firm in the way it constructs a taxonomy (categorisation of risks). In trying to ‘get the data right’, we’ve seen many taxonomies during our partnerships with firms whilst implementing GRC systems and developing frameworks – but what can they tell you not only about a firm’s risk culture but also about its overall culture and priorities?
Departmental Views
Some firms feel that the taxonomy should be a representative view of the various second line risk and compliance departments responsible for frameworks. For example, Level 1 Principal Risks will sometimes exist for: ‘Regulatory Compliance’; ‘Financial Crime’; ‘Reputational Risk’; ‘Resilience’; ‘Business Continuity Risk’; ‘Conduct Risk’; and ‘People and Culture’. The advantage of this approach is it appears to present front and centre to the business the areas of concern for the firm to go off and manage and make it obvious to the regulator that the firm cares about these themes. The challenge however is two-fold: i. bringing to life for the business the actual risk in their process or service. With this view, what we often see is that a business will select at the taxonomy level, a word like ‘Conduct’ or ‘Culture’ because they think it’s important but it may not be a threat to their process at all. Meanwhile because of the emphasis on areas of low impact for that area of the business, they have overlooked something that actually impacts their service; ii. difficulty in ensuring a holistic Risk and Control Self-Assessment (RCSA) process – a departmental taxonomy often leads to themed risk assessments that do not capture the required holistic view and prevents the Operational Risk department from performing successful read-across. It can also create duplicative risk assessments where the business are asked for example, to perform a Financial Crime assessment as well as an RCSA (bear in mind that this same business may also have Internal Audit on their case as well as a second line Assurance team performing independent assessments all at the same time. Talk about a turn-off). This can therefore project an over-bearing, over-intrusive culture that i. puts people off risk culture and ii. doesn’t encourage a holistic and self-identifying nature of risk management. You could describe the culture in this type of environment as a ‘done-to’, fatigued culture.
Top Risk and Buzzword Views
“Well the regulators are looking for this stuff, it’s a big deal”.
That is a true statement if I ever heard one. However, what does the statement actually mean? It certainly doesn’t mean, name it in the risk hierarchy, ask the business to consider it, rate it and job done. It means if the risks in the process and service are not identified, managed, assessed, mitigated and reported on effectively using the various toolkits and measures available to us then the regulator will not be happy. Let’s consider conduct. Does a firm manage conduct well if it asks a business to consider the word conduct in the risk taxonomy during the RCSA and rate it? I’m not even sure how I would word a business specific risk in the business process for ‘conduct’. Or does it manage and measure conduct well if it uses a range of conduct metrics, manages its employee appraisal process appropriately, rewards good behaviour and punishes bad behaviour, identifying which processes and services could affect the best outcome for employee and customers and manages it appropriately?
I received a view once that it was a mistake not to have the words ‘Culture’ and ‘Conduct’ in the taxonomy. This kind of approach can quickly lose emphasis on the actual risk and overlook key areas. In an attempt to project the right image externally, we can quickly lose out on the importance on rewarding good behaviour, meet our duty of care to employees and facilitate successful and fulfilling careers of employees internally. It’s difficult to draw out, for example, the ‘risk of an unsafe working environment’ in a hierarchy that overlooks Employment Practices and Workplace Safety and stops at ‘People and Culture’ in an attempt to impress the regulator. In short, we can start to foster a culture of overlooking a firm’s greatest resource – its people – by thinking we have done a great job by popping a buzzword into the taxonomy, creating fear and then stopping. This can have a powerful, silent, negative impact by not thinking about positive employee relations, positive reward culture, clear organisational charts, clear job descriptions and positive governance and frameworks that encourage good behaviour and togetherness and by virtue of this fact fosters a positive risk culture where the employee feels part of the risk management solution.
Classic Purist Views
Don’t be afraid of the challenge of implementing a taxonomy that genuinely draws out the risks inherent in most firms in most industries. Remember the extent to which these are relevant to different industries simply varies the impact and likelihood but it doesn’t change the risks inherent in the firm. Integrated Control Framework Consulting are here to help with the education - your second line will have a huge part to play in helping inform colleagues how this works, which is an ongoing process requiring patience. If a firm regards itself as not being in a mature state with its Risk Culture it doesn’t mean you carry on as you are. You have to start moving the dial at some point. By levelling the taxonomy in the right way and doing two things: i. preparing Risk Libraries (also Control Libraries but that’s another topic for another day) that work for the firm, acting as a menu to assist and ease process-level risk identification; ii. if one of those does not fit perfectly, allow teams and departments to word risks in their own words that mean something to them. This gives a sense of ownership and participation. Then ‘hook’ this into the taxonomy at the lowest level (we like three levels before getting into fourth and fifth ‘library’ levels) to provide all important standardisation.
As an example, if a team is concerned about ‘People Culture’ it may be because it has a risk that ‘Financial Crime online training is consistently overdue across the team’, based on past experience. Therefore, just be specific then hook that on to the more meaningful ‘Employee Relations Risk’. KRIs measuring this over the year can then be created along with similar conduct and culture measures, acting as the team’s overall culture measure – which then aggregates up into an overall culture and conduct dashboard. This is a more intelligent and holistic approach and as referenced above, is more likely to encourage positive behaviour by allowing the taxonomy to concentrate on actual risks and in this example provide focus on its people, than a taxonomy and governance that is mainly focussed on punishing employees for behaviour in order to project a certain image to the outside world and the regulator.
Commentaires