Once a taxonomy is developed, the organization should communicate it throughout the organization so that it may be used consistently in risk identification and aggregation. Such taxonomies should be considered in the development of an organization-wide risk taxonomy, as they may include categories that have proven to be applicable to the organization. It should be noted that an organization may have an existing risk taxonomy that is used within a particular functional area, such as internal audit or information management.
An organization should aim for a reasonable number of categories not so many that the ability to aggregate becomes impeded, but not so few that the aggregation becomes meaningless and the discrete nature of the categories becomes eroded. For example, an organization may want to tailor the categories to better reflect its mandate, align with existing structures or classifications, or introduce sub-categories for risks that are particularly relevant to the organization's mandate. Departments and agencies may tailor this list to their needs. The categories should be sufficiently generic that they can be used to aggregate risks from various parts of the organization.Įxamples of potential risk categories are found in section 2. 1.1 Developing a Risk Taxonomyĭeveloping a risk taxonomy requires establishing a set of risk categories. However, using a risk taxonomy can help to strengthen and better integrate an organization's risk management approach, given the benefits outlined above. It should be noted that a risk taxonomy is not a mandatory component of an integrated risk management approach. It outlines an approach to categorizing and aggregating risks that may be tailored to the specific needs of an organization.
This document includes considerations for departments and agencies with respect to developing and using a risk taxonomy. By providing a stable set of risk categories, it facilitates comparative analysis of an organization's risks over time.By providing a common set of risk categories, it facilitates the aggregation of risks from across the organization.By providing a comprehensive set of risk categories, it encourages those involved in risk identification to consider all types of risks that could affect the organization's objectives.1.0 IntroductionĪ risk taxonomy is a comprehensive, common and stable set of risk categories that is used within an organization. An approach to articulating key risks Table of Contentsįor more information, please contact TBS Public Enquiries.
0 kommentar(er)
