Industry-led op risk taxonomy launches

A new bank-led system for categorising operational risks, developed by industry consortium ORX, reflects the increased importance being accorded to risks outside traditional market and credit risk parameters since the publication of the Basel Committee on Banking Supervision’s taxonomy.

The new taxonomy is intended to create a common language for financial institutions to share information and a framework for understanding the causes and effects of operational loss events. It will also allow for easier comparison between institutions when benchmarking their findings.

“As operational risk moves more toward non-financial risks, it makes sense to have a fresh look at the taxonomy,” says Jonathan Humphries, executive director for non-financial risks at Aon. “It’s an important starting point for any discussion around measurement as well as interaction with the business.”

Developed by ORX with Oliver Wyman, the project was conducted with input from an advisory group of ORX member institutions, and draws on some 60 taxonomies submitted by member firms. It has been in development for more than a year.

“This is a good example of collaboration across the banking industry to develop a real-world risk taxonomy for non-financial risks,” says Mark Cooke, group head of op risk at HSBC, who also chairs ORX. “For many banks, this will in large part mirror what they already have, yet it allows them to benchmark to common practice and [to] highlight areas they may want to evolve.”

In analysing bank taxonomies, ORX and Oliver Wyman noticed a wide divergence in the way banks were categorising risks such as cyber, conduct and third-party risk. This was due mainly to differences in how firms classify cause and effect. For example, an external fraud that’s perpetrated through a cyber attack could be classified as cyber risk, or as external fraud, with cyber risk as the underlying cause. Similarly, a technology failure that affects customers could be classified as either conduct risk or as a technology failure with a customer or conduct impact.

Four years ago, there was still a reasonably high correlation with the Basel event categories

Op risk executive at a large UK bank

“Four years ago, there was still a reasonably high correlation with the Basel event categories. Today, there is a greater propensity to extend beyond those categories,” says an operational risk executive at a large UK bank. “We now have [through ORX] the ability to get our categorisations aligned in a way that’s useful.”

The taxonomy includes 16 Level 1 risks and 61 Level 2 risks. Included within the Level 1 risks are six of the original seven Basel categories. The seventh Basel category – losses that occur due to events involving clients, products and business practices – has been expanded into four new Level 1 categories. These are: legal; conduct; financial crime; and regulatory compliance. The remaining six Level 1 categories – third-party, statutory reporting and tax, business continuity, data management, information security, and model risk – represent risks that have risen in prominence.

Operational risk experts argue the ORX taxonomy creates a starting point for discussion and potential convergence around the causes and impacts of specific events. The need for such discussion is evidenced by the fact that companies now define an average of 14 Level 1 risks. Left unchecked, this divergence could lead to further splintering, making interbank comparisons almost impossible.

Mapping to Basel

As the number of Level 1 risk categories increase, so does the possibility of overlap between the way categories are defined. For example, model risk, which is one of the new Level 1 categories in the ORX taxonomy, can result from putting a model into production with inadequate testing, which would stem from a failure of transaction processing and execution – another Level 1 risk.

Operational risk is complex, and so many of the risks are derivatives of the seven core event types

Ken Abbott, NYU

“Model risk issues fall under the existing Basel category, execution, delivery and process management,” says Ken Abbott, professor at New York University and former chief risk officer for the Americas at Barclays. “At Barclays, model risk was elevated to the top of the house because it is a major regulatory focus, and it can be a source of big problems if not governed correctly. Operational risk is complex, and so many of the risks are derivatives of the seven core event types.”

The new taxonomy is intended to augment the existing Basel taxonomy, which has been in use since 2001, rather than replacing it entirely. Many banks already map their own taxonomies to Basel, and that’s expected to continue.

“It doesn’t necessarily perfectly match anyone’s current taxonomy,” says Luke Carrivick, head of analytics and research at ORX. “There are going to be differences, and people will use it as a reference, providing a way of solving how they go about forming their own taxonomies.”

ORX has kept the Basel Committee apprised of its work, and asserts that Basel is pleased the private sector is taking its own initiative to manage operational risk. The committee has declined to comment.

The consortium will incorporate the taxonomy into its ORX News service, which is free, in order to test its usefulness. It plans to rerun the exercise in 18 months to monitor changes to its member banks’ taxonomies and to look for signs of convergence.

“ORX News is a great test to see how well the taxonomy works in practice,” says Carrivick. “We hope that over time institutions will start to converge to the extent that people can share data.”

Regulators have also begun to focus on the need to distinguish between causes and effects of operational risks, particularly non-financial risks such as cyber risk, as is the case with a new system for recording losses from cyber risks unveiled last week by the US Federal Reserve. The Fed is weighing whether to require banks to report losses from cyber attacks in addition to more traditional forms of risk.

Editing by Louise Marshall