Compliance in risk taxonomy
-
-
It’s a tricky question as compliance doesn’t fit too neatly into the typical risk taxonomy, and there are more complex taxonomy structures that can better facilitate compliance as a type of impact from a risk event. This is what we would typically see as best practice.
To answer your question directly, I’ve probably seen compliance as an L2 under an overall ops risk once or twice, but its not what I would suggest as best practice and is something we would recommend avoiding. Peer L1s is much more common
-
The ORX global reference taxonomy was developed based on 60+ risk taxonomies used by financial institutions around the globe is probably the best representation of peer practices and has been adopted, with tailoring for the specific organization, by many since the taxonomy was developed ~5 years ago.
Within the ORX global reference taxonomy, regulatory compliance is a separate L2 category within the NFR taxonomy, and is defined as “the failure to comply with any legal or regulatory obligations that are not captured through other Level 1 risks within the NFR taxonomy”, because the risk of non-compliance with specific legal or regulatory obligations is relevant to most Level 1 risks in the NFR taxonomy and therefore we wanted to avoid overlap with these risks