Industry Initiative of the Year: ORX

ORX’s op risk taxonomy project improves measurement of progress and change

Luke Carrivick
Luke Carrivick: “People are using it to evidence that making the change is a credible thing to do”

When is an operational risk not an operational risk? When, as a growing number of financial institutions were finding, it is not defined in the op risk taxonomy laid down by the Basel Committee on Banking Supervision in 2001. In the 17 years since the organisation began its work, operational risk practice has diverged increasingly from the classification scheme used by regulators to oversee how financial institutions manage op risks and how they track losses.

“Basel event types, originally defined to assist with risk measurement, were not helping risk managers understand, manage or report on the real risks they were facing,” says Simon Wills, executive director of the Operational Riskdata eXchange Association (ORX), an op risk trade body for the financial services sector.

In response, last year, ORX embarked on a project to develop a new taxonomy for operational risk that is aligned more closely with the way firms approach this today. This endeavour saw it win the 2019 OpRisk Industry Initiative of the Year award.

ORX members, which number 98 financial services firms globally, had several issues with the existing taxonomy developed since 2001, says Wills, including its use of language that is “not as useful for today’s business practices as when [it] first launched”.

There is also a need for greater granularity in some areas, such as the category covering clients, products and business practices. Since the taxonomy’s launch in 2001, many new risks have emerged, such as cyber and conduct risk, and these are often managed by different business units in the second line and yet are increasingly being guided by one central op risk ‘umbrella function’ using a common set of definitions. There was not a standard taxonomy that sat well with all specialist functions. 

What we’re doing is pooling the knowledge of these institutions and boiling it down – it’s the wisdom of crowds
Simon Wills, Operational Riskdata eXchange Association

ORX stepped in, collecting an initial 4,000 lines of op risk descriptions from 44 of the world’s largest financial institutions and applying machine learning to the information to find groups of common descriptions. Those findings were then subject to expert review to ensure the taxonomy was coherent.

The result, to date, is a comprehensive taxonomy comprising 15 categories, which capture current op risk practices.

“What we’re doing is pooling the knowledge of these institutions and boiling it down – it’s the wisdom of crowds,” says Wills.

Live and evolving

For the next phase of the project, ORX has collaborated with consultancy Oliver Wyman, which will help create an enhanced version of the taxonomy, providing more granular risk definitions. Additionally, the work will involve greater analysis into certain risks, providing extra explanation of complex and topical areas, such as cyber and conduct risk.

“It’s meant to be a live and evolving reference,” says Wills, noting that an updated version is to be published by the end of the year.

industry initiative - Simon Wills - Luke Carrivick.jpg
Simon Wills and Luke Carrivick

“This is the most important structural development in operational risk management for 15 years,” says Mark Cooke, group general manager of HSBC and chairman of ORX

Taking a data-driven approach avoids introducing human bias into the process, says Luke Carrivick, head of analytics and research at ORX.

“There are numerous, equally valid ways of defining things. This can lead to endless debate within institutions, driven by internal structures,” he says. “By producing a reference that has amalgamated the direction of travel of everyone, that helped solve a lot of those arguments… Our work is reflecting what’s happening in the industry – we didn’t have endless meetings to reach agreement among all the banks involved. It’s charting how people are evolving away from the event types.”

The new reference taxonomy is intended to be comprehensive, easily understood and up to date, says Wills, necessitating a relatively fast process that has erred towards the practical rather than the academic.

“We could have gone into a small room for two years and argued about whether it ‘should’, ‘might’ or ‘may’ be, or we could document what’s going on in the industry, publish it and move forward,” he explains.

“We’re positioning it as a reference taxonomy, rather than a standard,” says Carrivick. Rather than adopt the taxonomy wholesale, it is more likely that its users will “dip into it” to get a sense of how their peers, or the market as a whole, are thinking about a particular branch of op risk, he says.

A reference to work from

How will the taxonomy be used? For some firms, it will be used to overcome opposition to changes to op risk practice, says Wills, while others might use it to benchmark their existing practices.

“People are using it to evidence that making the change is a credible thing to do, because it’s being done in the industry,” he says. “They are also using it to accelerate their thinking – it gives them a reference to work from.”

Meanwhile, the taxonomy will complement rather than replace the Basel approach, says Wills, noting it “maps to the Basel categories… It would be an own goal if it didn’t.”

Carrivick says: “Regulators are broadly in favour of the industry getting together and doing this work… However, the event types will persist, because although they aren’t very well aligned with how people manage risks internally, they do offer a very complete view of events, and they are a good way of cataloguing losses and making sure different institutions are able to benchmark themselves against each other.”

The new taxonomy has “strengthened the quality of meaningful conversations [about op risk] – both within firms and across the whole industry”, concludes Wills. “It provides a common, centralised language that covers the wide range of modern operational risks. Without this, inconsistent and siloed information will continue to proliferate across the industry, and make the job of risk management significantly more difficult.”

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here