Compliance in risk taxonomy
-
Dear RiskBowl,
Thoughts on where Compliance typically sits in the risk taxonomy? We’ve gathered examples of Compliance as a Level 1 risk category, but have you seen examples of when Compliance is at Level 2 under Operational Risk at Level 1?
Thanks
-
It’s a tricky question as compliance doesn’t fit too neatly into the typical risk taxonomy, and there are more complex taxonomy structures that can better facilitate compliance as a type of impact from a risk event. This is what we would typically see as best practice.
To answer your question directly, I’ve probably seen compliance as an L2 under an overall ops risk once or twice, but its not what I would suggest as best practice and is something we would recommend avoiding. Peer L1s is much more common
-
The ORX global reference taxonomy was developed based on 60+ risk taxonomies used by financial institutions around the globe is probably the best representation of peer practices and has been adopted, with tailoring for the specific organization, by many since the taxonomy was developed ~5 years ago.
Within the ORX global reference taxonomy, regulatory compliance is a separate L2 category within the NFR taxonomy, and is defined as “the failure to comply with any legal or regulatory obligations that are not captured through other Level 1 risks within the NFR taxonomy”, because the risk of non-compliance with specific legal or regulatory obligations is relevant to most Level 1 risks in the NFR taxonomy and therefore we wanted to avoid overlap with these risks
-
"Compliance risk within the taxonomy is an important but challenging issue. Are you familiar with institutions that maintain two separate taxonomies—one for compliance risk and another for operational risk—and then map them to each other? Or do you adapt the ORX taxonomy by integrating specific, critical compliance risks to improve measurement compared to the original ORX structure? If so, which compliance risk events do you include, and where within the ORX taxonomy do you integrate them?"
-
I’d say best practice is to have a single taxonomy, which covers both Compliance and Operational Risk. They are often separate L1 risks, and the sub-risks within Compliance are often not aligned with the ORX structure, but rather speak to compliance-related risks (such as market conduct, customer / client protection, conduct, privacy, prudential & bank administration).