Compliance in risk taxonomy

User 340

Dear RiskBowl,

Thoughts on where Compliance typically sits in the risk taxonomy? We’ve gathered examples of Compliance as a Level 1 risk category, but have you seen examples of when Compliance is at Level 2 under Operational Risk at Level 1?

Thanks

User 340

It’s a tricky question as compliance doesn’t fit too neatly into the typical risk taxonomy, and there are more complex taxonomy structures that can better facilitate compliance as a type of impact from a risk event. This is what we would typically see as best practice.

To answer your question directly, I’ve probably seen compliance as an L2 under an overall ops risk once or twice, but its not what I would suggest as best practice and is something we would recommend avoiding. Peer L1s is much more common

User 340

The ORX global reference taxonomy was developed based on 60+ risk taxonomies used by financial institutions around the globe is probably the best representation of peer practices and has been adopted, with tailoring for the specific organization, by many since the taxonomy was developed ~5 years ago.

Within the ORX global reference taxonomy, regulatory compliance is a separate L2 category within the NFR taxonomy, and is defined as “the failure to comply with any legal or regulatory obligations that are not captured through other Level 1 risks within the NFR taxonomy”, because the risk of non-compliance with specific legal or regulatory obligations is relevant to most Level 1 risks in the NFR taxonomy and therefore we wanted to avoid overlap with these risks