Guide to Risk Taxonomies
An approach to articulating key risks
Table of Contents
- 1.0 Introduction
- 2.0 Categorizing Risks
- Appendix A: Definitions & Examples
For more information, contact:
For more information, please contact TBS Public Enquiries.
A risk taxonomy is a comprehensive, common and stable set of risk categories that is used within an organization.
- By providing a comprehensive set of risk categories, it encourages those involved in risk identification to consider all types of risks that could affect the organization's objectives.
- By providing a common set of risk categories, it facilitates the aggregation of risks from across the organization.
- By providing a stable set of risk categories, it facilitates comparative analysis of an organization's risks over time.
This document includes considerations for departments and agencies with respect to developing and using a risk taxonomy. It outlines an approach to categorizing and aggregating risks that may be tailored to the specific needs of an organization.
It should be noted that a risk taxonomy is not a mandatory component of an integrated risk management approach. However, using a risk taxonomy can help to strengthen and better integrate an organization's risk management approach, given the benefits outlined above.
1.1 Developing a Risk Taxonomy
Developing a risk taxonomy requires establishing a set of risk categories. The categories should be sufficiently generic that they can be used to aggregate risks from various parts of the organization.
Examples of potential risk categories are found in section 2. Departments and agencies may tailor this list to their needs. For example, an organization may want to tailor the categories to better reflect its mandate, align with existing structures or classifications, or introduce sub-categories for risks that are particularly relevant to the organization's mandate. An organization should aim for a reasonable number of categories; not so many that the ability to aggregate becomes impeded, but not so few that the aggregation becomes meaningless and the discrete nature of the categories becomes eroded.
It should be noted that an organization may have an existing risk taxonomy that is used within a particular functional area, such as internal audit or information management. Such taxonomies should be considered in the development of an organization-wide risk taxonomy, as they may include categories that have proven to be applicable to the organization.
Once a taxonomy is developed, the organization should communicate it throughout the organization so that it may be used consistently in risk identification and aggregation. In addition, an organization may wish to integrate the risk taxonomy into its existing integrated risk management guidance and templates.
1.2 Using a Risk Taxonomy
The organization should encourage those involved in risk identification to use the risk taxonomy to categorize identified risks. Using the risk taxonomy in risk identification helps to ensure that all types of risks have been considered. It also facilitates risk aggregation.
Those involved in aggregating risks from across the organization may then group the risks under each category. This information may be organized in a variety of ways. For example, an organization may want to use a table that includes columns titled "risk category", "drivers", "risk event" and "risk impact" (see Appendix A for definitions of these terms).
Organizations may use this information to inform their Corporate Risk Profile or similar tools, in which they may also want to compare changes in the content of the risk categories on a regular basis, quarterly, biannually, or year-over-year as appropriate to their circumstances.
1.3 Links to Other Guides and Tools
General guidance on risk identification may be found in the 2010 Guide to Integrated Risk Management.
Guidance on developing Corporate Risk Profiles may be found in the 2010 Guide to Corporate Risk Profiles.
2.0 Categorizing Risks
This section provides a list of potential risk categories and a brief description of the types of risks, both threats and opportunities, which could fall under each category. As outlined in section 1, it is expected that organizations would selectively use these categories in identifying and aggregating their risks and may adapt the categories to their own needs.
- Business processes
- Threats and opportunities associated with business process design or implementation.
- Capital infrastructure
- Threats and opportunities associated with an organization's capital infrastructure including hard assets (e.g., buildings, vessels, scientific equipment, fleet), but excluding IT.
- Threats and opportunities associated with an organization's approach and culture of communication, consultation, transparency and information-sharing, both within and outside the organization.
- Conflict of interest
- Threats and opportunities associated with perceived or potential conflicts between private and public interests.
- Financial management
- Threats and opportunities associated with the structures and processes of an organization to ensure sound management of financial resources and its compliance with financial management policies and standards.
- Governance and strategic direction
- Threats and opportunities associated with an organization's approach to leadership, decision-making and management capacity.
- Human resources management
- Threats and opportunities associated with staff/management turnover; employment/work culture; recruitment, retention and staffing processes and practices; succession planning and talent management; and employee development, training and capacity building.
- Information management
- Threats and opportunities associated with an organization's capacity and sustainability of information management procedures and practices.
- Information technology
- Threats and opportunities associated with an organization's capacity and sustainability of information technology, both the infrastructure and utilization of technological applications.
- Knowledge management
- Threats and opportunities associated with an organization's collection and management of knowledge, including intellectual property, organizational or operational information and records, and scientific data.
- Threats and opportunities associated with an organization's management of its legislative, advisory and litigation activities, including the development and renewal of, and compliance with, laws, regulations, international treaties / agreements and policies.
- Organizational transformation and change management
- Threats and opportunities associated with significant structural or behavioural change within an organization related to mandate, operating context, leadership and strategic direction.
- Policy development and implementation
- Threats and opportunities associated with an organization's design, implementation and compliance with the government-wide policy suite as well as its own internal policies and procedures.
- Privacy / Information stewardship
- Threats and opportunities associated with an organization's protection of intellectual property and personal information.
- Program design and delivery
- Threats and opportunities associated with an organization's design and delivery of specific programs, which may impact the organization's overall objectives.
- Project management
- Threats and opportunities associated with an organization's process and practice of developing and managing major projects in support of its overall mandate, as well as risks associated with specific projects that may require ongoing management.
- Threats and opportunities associated with the political climate and operating context of an organization.
- Threats and opportunities associated with an organization's reputation and credibility with its partners, stakeholders and the Canadian public.
- Resource management
- Threats and opportunities associated with the availability and level of resources of an organization to deliver on its mandate, as well as the organization's management of these resources.
- Stakeholders and partnerships
- Threats and opportunities associated with an organization's partners and stakeholder demographics, characteristics and activities.
- Values and ethics
- Threats and opportunities associated with an organization's culture and capacity to adhere to the spirit and intent of the Values and Ethics Code for the Public Service.
Appendix A: Definitions & Examples
- Risk is defined as the effect of uncertainty on objectives. It is important to note that risk can be characterized as a negative uncertainty, commonly referred to as a threat, as well as a positive uncertainty, commonly referred to as an opportunity.
- Risk category
- A risk category is a type of risk that is sufficiently generic that it can be used to identify and aggregate risks from various parts of the organization. See section 2 for examples.
- Risk event and risk impact
A risk event is a situation with the potential to affect the achievement of an organization's objectives. A risk event may be positive or negative – in other words, it may be a threat or an opportunity.
A risk impact is the potential effect of a risk event. As with a risk event, a risk impact may be positive or negative.
An example of a negative risk event (or threat): "The organization may not be able to maintain the current number of staff in scientific job categories."
An example of a negative risk impact: "Inability to meet the organization's research targets."
An example of a positive risk event (or opportunity): "The organization may be able to promote its innovative approaches at an upcoming international conference."
An example of a positive risk impact: "Enhanced ability to develop international partnerships."
A driver is an internal or external circumstance that is contributing to (or "driving") a risk. Drivers are often identified through environmental scans.
It is common for organizations to confuse drivers and risks. In particular, organizations sometimes refer to certain external circumstances (e.g., social, economic, etc.) as "external risks", when in fact they are drivers. To distinguish the two concepts, it is helpful for an organization to consider why the external circumstance challenges the organization, or why it presents an opportunity for the organization.
As an example, an organization might determine that the aging Canadian population is a driver that is contributing to an increase in the number of applications and persons eligible for a particular program and therefore contributing to the risk that the organization may not be able to meet the anticipated increase in program delivery demands.
Report a problem or mistake on this page
- Date modified: