The ORX Reference Taxonomy for

operational and non-financial risk

SUMMARY REPORT
 Taxonomy summary report 3

ORX contacts:
Dr Luke Carrivick
Executive summary
Head of Research and Information

luke.carrivick@orx.org
A strategic priority for To best use this work, it is important to
understand that:

Steve Bishop
ORX and the operational
Head of Insurance and Risk Information and non-financial risk 1. This is a reference
We have published a reference taxonomy
steve.bishop@orx.org community which collates many individual operational risk
taxonomies in a sensible way. It is intended as a
There has been a substantial change in the useful resource against which organisations can
operational risks faced in financial services over benchmark and improve practice. It is unlikely to
the last 15 years. Risks such as Conduct, Cyber meet every need without some customisation.
and Third Party have risen in importance and
Oliver Wyman contacts: now dominate boardroom agendas�. How
2. It can be used in different ways
organisations think about this expanding portfolio
of threats and manage them in a consistent way is Given the thematic nature of some risks (such as
Evan Sekeris underpinned by their risk taxonomy. cyber), it is possible to adapt the ORX Reference
Partner Taxonomy to meet your business needs. For
This changing risk profile, combined with a recent example, users could create meaningful groups
evan.sekeris@oliverwyman.com shift of focus away from capital measurement of level 2 risks which do not appear within the
towards risk management, means that many same level 1 in the reference taxonomy, or they
Thomas Ivell organisations are updating their operational could align reference taxonomy level 2 risks to
Partner risk taxonomies. In doing so, they are deviating alternative level 1 risks in their own taxonomy.
from Basel Event Types� and in the absence of a
thomas.ivell@oliverwyman.com common standard, we have observed significant
divergence. 3. There is a connection to Basel
It is important to note that taxonomies had not
Valerie Wong The strategic priority of this ORX initiative, moved completely away from Basel Event Types;
Engagement Manager supported by Oliver Wyman, was to create a more accurately, they had evolved and expanded
common point of reference and thereby solid them. We observed common changes, and the
valerie.wong@oliverwyman.com ground for industry discussion about developing reference reflects this:
operational risk taxonomies. This lays the
foundations which allow consistent industry • A change of language
sharing of insights and data over the coming
years. Some risks closely corresponding to Basel Event
Types, but with a change of language.

• Greater focus on misconduct

An industry point of
Risks which expand the Clients, Products and
reference Business Practices category and provide greater
granularity, such as Compliance, Financial
The ORX Reference Taxonomy� is our first iteration
Crime and Misconduct.
of a full taxonomy that goes deeper into level 2
Follow ORX: risks. It is an enhancement of the award-winning • An elevation of material concerns
level 1 reference taxonomy which was developed
@ORX_Association in 2018�. At this stage it is provided as a guide to Risks that have risen in prominence and are
the industry, and to encourage a convergence of elevated to level 1. This includes Information
@ORX_Association
thinking; it is not intended as a standard and will Security, Cyber, Data, Model and Third Party.
not be adopted in the ORX global and regional loss
Follow Oliver Wyman: data exchange services. It consolidates information
from 60 different taxonomies into a single coherent
@Oliver Wyman reference.
@OliverWyman

orx.org | oliverwyman.com
� https://managingrisktogether.orx.org/research/operational-risk-horizon-2019 is provided free of charge to all ORX members. It is available to other financial organisations – please
contact communications@orx.org for further details. Commercial use of both the summary and
� https://www.bis.org/bcbs/qisoprisknote.pdf
detailed ORX Reference Taxonomy by consultants or other firms for any financial gain is not permitted
� The public summary of the ORX Reference Taxonomy (copyright ORX 2019) is freely available for all without express permission from ORX and will incur a charge.
financial organisations to benefit from. The more detailed ORX Reference Taxonomy and guidance
� https://managingrisktogether.orx.org/news-and-blogs/orx-wins-initiative-year-2019-operational-risk-awards
4 Taxonomy summary report 5

ORX Reference This infographic shows the

connection of the ORX Reference
Taxonomy Taxonomy to the Basel Event Types
Below are the level 1 event types in the ORX
Reference Taxonomy (2019). For the level 2 event
types, see page 10. During 2020, ORX plan to produce
a corresponding cause and impact taxonomy, in
addition to progressing work on controls, in order to
provide an even more comprehensive reference.

Basel Event Types: ORX Reference Taxonomy Level 1s:

Third Party
Statutory Reporting and Tax
Business Continuity Risks that have
risen in prominence
Data Management and are elevated to
level 1
Information Security (including Cyber)
Operational Risk

Model

Employment Practices & Workplace Safety People

Execution, Delivery & Process Management Transaction Processing & Execution Risks closely
corresponding to
Business Disruption & System Failures Technology
Basel Event Types,
Internal Fraud Internal Fraud but with a change
of language
External Fraud External Fraud
Damage to Physical Assets Physical Security & Safety
Conduct / Compliance

Clients, Products & Business Practices Legal Risks which expand the
Clients, Products and
Conduct Business Practices
Financial Crime category and provide
© ORX 2019 greater granularity and
Regulatory Compliance focus on misconduct
6 Taxonomy summary report Taxonomy summary report 7

This public report provides

a summary of the full report
available to ORX members. It
Introduction
includes a background to this
work, an overview of the method
applied to develop the ORX
A level 1 reference Method Data in the driving seat
Reference Taxonomy, notable
observations from the taxonomy
taxonomy Working with Oliver Wyman, ORX reviewed The data collected from ORX member taxonomies
data collected from ORX members In 2018, an ORX research study� developed an an expanded data set of 58 ORX member demonstrates that there are numerous equally
and the Level 1 and 2 risk titles. emerging level 1 ORX Reference Taxonomy. 90% taxonomies (collected from banks and insurers).� valid approaches to risk taxonomy construction.
of the 2018 study’s 40 participants had adopted This was used to validate the 2018 level 1 reference, Differences can arise because of an individual
an enhanced taxonomy which captures the key derive suitable supporting level 2 risks and to organisation’s decisions regarding both the risks
risks they see in today’s business environment, and develop guidance. to include and where to position them. These
ORX Reference one which is defined in a language familiar to their
We have then worked with a member advisory
decisions are influenced by external factors such
business leaders. as jurisdictional trends and idiosyncratic ones,
Taxonomy group to review, update and finalise the such as internal organisational structures and the
It was, however, important to note that a taxonomy. businesses in which an organisation operates.
resources available significant majority had not moved completely Establishing a taxonomy is not a perfect science
During this work, several principles have been
away from Basel Event Types – more accurately and often requires the application of common
ORX can provide a full set of ORX applied to develop the ORX Reference Taxonomy,
they had evolved and expanded them. This sense and compromise.
Reference Taxonomy resources, namely that it should:
held true for participants who self-identified as
including: The factors above, as well as the absence of
following a Basel structure, but also true to an • Be risk event based�
• The full ORX Reference Taxonomy extent with those who self-identified as having industry-wide taxonomy developments, highlight
report that includes further developed their own taxonomy. • Be designed to include two levels the need for ORX to enhance the reference
analysis and information on taxonomy and develop the level 2 categories.
In some cases, we have observed more wholesale • Be intuitive and easy to understand
the member taxonomy data Central to this development has been the use of
changes, particularly with participants who
collected, as well as deep • Cover the scope of – and map the collected ORX member taxonomy data in a
self-identified as having developed their own
dives on approaches to Cyber, back to – Basel Event Types systematic and transparent way. Initially, data was
taxonomy. This allows more freedom in the way
Conduct and Third Party risk used to validate and update the level 1 categories
they can express their risk profile. It in turn often
• Be mutually exclusive and collectively identified as part of the 2018 ORX study, then
• The Reference Taxonomy results in a larger number of level 1 risks (compared
exhaustive (to the extent possible) further analysis has been undertaken to assist in
level 1 and level 2 risks with to the Basel structure), reflecting the desire to
comprehensive definitions elevate certain risks to higher prominence. the development of the supporting level 2 risks for
the enhanced taxonomy.
• Guidance supporting users to
This analysis to develop level 2 risks involved:
understand the application of
the ORX Reference Taxonomy
A full reference taxonomy
• Identification of the “risk dimensions” used to
Building on the significant interest from ORX describe each level 1/level 2 risk; for example,
• A mapping of the taxonomy members, the wider industry and regulators in
back to Basel Event types under External Fraud, level 2 risks in participant
the 2018 taxonomy work, ORX has been pleased taxonomies are linked to dimensions
to work with Oliver Wyman using a larger set of including actor, item, product and channel
If you would like further taxonomies to:
information on these, please • The adoption of either the most common
contact communications@orx.org 1. Develop an updated ORX Reference approach to level 2 risks or, where significant
Taxonomy, including level 2 risks divergence was observed, using the most
During 2020, in order to provide consistent approach to determine level 2 risks
2. Provide guidance to support
an even more comprehensive and explain the taxonomy • Review and feedback from the
reference, ORX plan to produce member advisory group of the risks
a corresponding cause and This taxonomy can be used as a key reference
where practice diverged the most
impact taxonomy, in addition to to benchmark against and to observe industry
progressing work on controls. trends. It is not a standard specifically intended to
be adopted wholesale but can assist organisations
The ORX Reference Taxonomy will in developing their taxonomies, provide industry
also be incorporated into the evidence to support change and allow them to
ORX News� service (see page 13 for accelerate their thinking.
more details about ORX News).

� Two member taxonomies were added subsequently which were used to validate the proposed
ORX Reference Taxonomy, taking the dataset to 60.
� https://managingrisktogether.orx.org/orx-news � https://managingrisktogether.orx.org/operational-risk-taxonomy/orx-reference-taxonomy-2019 � As opposed to cause or impact based; see page 14 on the bow tie methodology
8 Taxonomy summary report Taxonomy report 9

Observations from the Divergence was evident Why a reference We observed common
taxonomy data In addition to the observations already and what next? changes, and the ORX
mentioned, there was divergent practice evident
The review of participant taxonomies highlighted in the participant taxonomies. The widest range Given the observations and areas of Reference Taxonomy
several themes, with some interesting and notable divergence described for certain risks, ORX
observations:
of practice was seen within the risks that have
risen in prominence – those often described as believe it is extremely helpful to publish this reflects this…
more “thematic” than pure risks (as per the control taxonomy as a reference. The aim at this
• Increase in level 1 size and use of risk “themes” failures observation). This included Cyber, Conduct stage is to help develop consistent industry
Relative to the Basel Event Types, overall there is
and Third Party. thinking rather than provide a taxonomy A change of language
an increase in the number of level 1 risks in the intended as a wholesale standard.
Analysis highlighted that the 60 participants take Some risks closely corresponding to
taxonomies collected. On average there were of different approaches to categorising these risks. It is hoped the ORX Reference Taxonomy Basel Event Types, but with a change of
14 level 1 risks versus the 7 original level 1 Basel Approaches observed included the use of such has captured the wisdom of crowds and language.
Event Types. Another way of capturing increasing categories as level 1 risks, using impact and causal distilled many of the successful features of
prominence in certain risk types is the increased taxonomies to support classification, as well as the operational risk taxonomies from across the
use of risk “themes” as standalone risk categories, use of flags to indicate where an event may relate
for example Conduct and Cyber.� to more than one risk type.
industry. Greater focus on misconduct
The increase of both level 1 risks and in the It will not currently be used for the ORX Risks which expand the Clients, Products
As an example of the variances observed, an global loss data exchange services.
use of risk themes potentially reflects a more and Business Practices category and
event captured as External Fraud may have
developed and granular approach to defining However, ORX will seek feedback from provide greater granularity, such as
a cyber-attack at its cause. Depending on an
operational risk. It may also reflect the increased its membership, the wider industry and Compliance, Financial Crime and
organisation’s approach, this could be classified as
number of risks uniquely recognised under the Cyber, or as an External Fraud with a Cyber cause, regulators, including understanding where Misconduct.
operational risk umbrella.�� or as an External Fraud tagged with a Cyber flag. A it has been adopted and the results of any
further example is a technology failure event that benchmarking work. We also intend to re-run
• Use of different dimensions may impact customers. This could be recorded the initiative in 12 to 18 months’ time. An elevation of material
as Conduct, or as a technology failure with a
For several risks, participants use a combination
customer or conduct impact, or as a technology
Updating the taxonomy iteratively will allow concerns
of different “dimensions” to define their ORX to collect updated taxonomies and
level 2 risks. This was particularly evident for failure tagged with a Conduct flag. Risks that have risen in prominence
review the effectiveness of the reference,
Conduct – where dimensions observed relate These variances may well have arisen due to a help ensure it remains relevant and inclusive and are elevated to level 1. This includes
to market integrity, products and services, as lack of an industry standard covering such risks. of key industry risks, and monitor potential Information Security, Cyber, Data, Model
well as clients and business practices. Different Organisations’ taxonomies have grown organically, convergence towards a future industry and Third Party.
dimensions were also evident for External gaining idiosyncratic features influenced by standard.
Fraud (as mentioned in the "Data in the driving factors such as the organisation’s approach to risk
seat" section on page 7) and for Internal management, their jurisdiction and regulator.
Fraud (similar to External Fraud). Although
the combinations of dimensions used can In the full ORX Reference Taxonomy report ORX Reference
appear illogical, this pattern may have evolved
as taxonomies are developed over time, with
available, there is further information outlining
the analysis undertaken on the taxonomy data
Taxonomy in action
categories being added to respond to new and the observations set out here. Supporting this ORX will use the reference taxonomy during
threats or risks, or new regulatory areas of focus. there are also deep dives looking specifically at 2020 in ORX News��. This will allow it to be
Often organisations do not have the luxury of industry approaches taken for the categorisation
starting their taxonomy again. tested in action and support subscribers
of Cyber, Conduct and Third Party risks and to the ORX News service in searches and
further explanation of the approach and logic
• Control failures reports.
applied when developing these areas in the ORX
Often participating taxonomies included level Reference Taxonomy. We also aim to use the taxonomy in
2 risks that could be classed as causes and/or other information services and products,
Please get in touch with ORX at
control failures. Given the increasing likelihood particularly focusing on how we analyse and
communications@orx.org for further
that organisations are penalised for inadequate report on material risks.
information about this full report on the
control frameworks or control failures, without
ORX Reference Taxonomy. See page 12 for more information about ORX
strictly having had an event occur, this may
reflect a pragmatic approach to incorporate and our services.
incidents that could lead to an impact.

� ORX has also explored cyber definitions and taxonomies as part of our Cyber & Information Security Risk (CISR) programme: https://managingrisktogether.orx.org/cyber-risk-programme �� https://managingrisktogether.orx.org/orx-news
�� https://managingrisktogether.orx.org/research/role-and-scope-op-risk
10 Taxonomy summary report Taxonomy summary report 11

The ORX Reference Taxonomy ��

Level 1 Risks Level 2 Risks Level 1 Risks Level 2 Risks

Breach of employment legislation or regulatory requirements Mishandling of legal processes
People Ineffective employment relations Legal Contractual rights/obligation failures
Inadequate workplace safety Non-contractual rights/obligation failures
Third party/vendor fraud Money laundering and terrorism financing
External Fraud Agent/broker/intermediary fraud Sanctions violation
Financial Crime
First party fraud Bribery and corruption
Internal fraud committed against the organisation KYC and transaction monitoring control failure
Internal Fraud Internal fraud committed against customers/clients, or third/fourth Ineffective relationship with regulators
parties
Inadequate response to regulatory change
Damage to organisation’s physical asset
Regulatory Compliance Improper licensing/certification/registration
Physical Security & Safety Injury to employee or affiliates outside the workplace
Breach of cross-border activities/extra-territorial regulations
Damage or injury to public asset
Prudential risk
Business Continuity Inadequate business continuity planning/event management
Third party management control failure
Processing/execution failure relating to clients and products
Third Party Third party criminality/non-compliance with rules and regulations
Processing/execution failure relating to securities and collateral
Transaction Processing Inadequate intra-group agreements/SLAs
Processing/execution failure relating to third party
and Execution Data theft/malicious manipulation of data
Processing/execution failure relating to internal operations
Data loss
Change execution failure Information Security
Cyber risk events
Hardware failure (including Cyber)
Data privacy breach/confidentiality mismanagement
Technology Software failure
Improper access to data
Network failure
External financial and regulatory reporting failure
Insider trading
Statutory Reporting
Tax payment/filing failure
Anti-trust/anti-competition and Tax
Trade/transaction reporting failure
Improper market practices
Unavailability of data
Pre-sales service failure
Poor data quality
Post-sales service failure Data Management
Inadequate data architecture/IT infrastructure
Conduct Client mistreatment/failure to fulfil duties to customers
Inadequate data storage/retention and destruction management
Client account mismanagement
Model/methodology design error
Improper distribution/marketing
Model Model implementation error
Improper product/service design
Model application error
Whistleblowing
Breach of code of conduct and employee misbehaviour
�� The public summary of the ORX Reference Taxonomy (copyright ORX 2019) is freely available for all financial organisations to benefit from. The more detailed ORX Reference Taxonomy and guidance is provided
free of charge to all ORX members. It is available to other financial organisations – please contact communications@orx.org for further details. Commercial use of the both the summary and detailed ORX Reference
Taxonomy by consultants or other firms for any financial gain is not permitted without express permission from ORX and will incur a charge.
12 Taxonomy summary report Taxonomy summary report 13

Delivering Premium subscription services

leading-edge ORX has developed two premium support services that don’t require you to be an ORX member. Both are available
to any financial organisation* to benefit from, with a discounted price for members.

support
services
This service provides you with an extensive scenario ORX News is an industry-leading provider of publicly
ORX have a range of services, projects and library, scenario practice benchmark studies, and access reported operational risk loss events from around the
events to support the sharing of ideas in the to a global scenario practitioner network. world. It is a single source for data and analysis, covering
wider measurement and management of the banking, insurance and asset management sectors.
operational and non-financial risk. In addition, ORX Scenarios provides a scenario
development handbook and a risk intelligence pack. In addition to reporting risk loss events within a
While membership is our core offering, there Our Scenarios developments are continuing, for example 24-hour period, ORX News produces “deep dives” upon
are also many other services and resources an additional focus on increasing the practical outputs request about key events to gain a risk-focused view of
available for the wider operational risk of scenarios. significant losses.
community to benefit from.

Initially set up to provide a global platform

for the secure and anonymised exchange of

1050 + 8000 +
high-quality loss data, ORX has developed
its remit substantially over the years thanks
to the collaboration of the community of risk Scenarios in News stories
professionals we bring together. our library on our platform

ORX Scenarios key benefits: ORX News key benefits:

Why not join the • Access to an industry-leading scenario library, • Very competitive pricing due to ORX
being a not-for-profit organisation
containing over 1,000 quality scenarios from
community to the leading financial services firms globally • A fast turnaround – headline
published within 24 hours
• Access to a global scenario practitioner
see how you network, including free invitation-only events
such as our global Scenario & Analytics
• No limit on access, with unlimited user licences
• Financial services specific, plus cyber

could benefit?
Forum and regular working groups stories from other industries
• Scenario practice benchmark studies, • High-quality, concise summaries from our
providing thought leadership to team of professional researchers
enhance your internal practices
• Alerts and categories that can be
• A scenario development handbook – a customised to your interests
roadmap for creating and quantifying
• Sophisticated reporting functionality –
scenarios for specific risks, such as cyber
reports can be exported in Excel or PDF
• Risk intelligence packs – ready-made • Global coverage – our researchers
packs of external information to speak nine languages collectively
support scenario development
• Free personalised system training
* ORX Scenarios is subject to requirements and for all users in your organisation
conditions of data collection being met

NEW: An Application Programming Interface (API) allowing you to automatically pull ORX News data
into your own system, for example your GRC platform. Contact support@orx.org for more info
14 Taxonomy summary report Taxonomy summary report 15

About ORX
Appendix: bow tie
Copyright © 2019 Oliver Wyman and ORX
All rights reserved. This report may not be reproduced
or redistributed, in whole or in part, without the ORX is the largest operational risk association
written permission of Oliver Wyman and ORX. Oliver
in the financial sector and has been a leading

methodology
Wyman and ORX accept no liability whatsoever for
the actions of third parties in this respect. support for the industry since 2002.
The information and opinions in this report
were prepared by Oliver Wyman and ORX. This For nearly two decades, we have been an ever
report is not investment advice and should not expanding global community, bringing together
be relied on for such advice or as a substitute for
The ORX Reference Taxonomy is based on the “bow tie” method (see Figure 1), which distinguishes consultation with professional accountants, tax, thousands of operational risk professionals to
between causes, events, impacts and controls. These are defined as follows: legal or financial advisors. Oliver Wyman and ORX share knowledge, expertise and experience.
have made every effort to use reliable, up-to-date
and comprehensive information and analysis, but
• Cause: The risk causes constitute the underlying environment that allows risk all information is provided without warranty of any
Our services include a range of solutions focused
events to develop. These causes therefore go beyond the immediate triggers of an kind, express or implied. Oliver Wyman and ORX on effective management and measurement of
event, such as control failure. Multiple causes can be mapped to an event. disclaim any responsibility to update the information operational and non-financial risk. This includes
or conclusions in this report. Oliver Wyman and
ORX accept no liability for any loss arising from global loss data exchange, an extensive research
• Event: The risk event is the central element of the framework, and is a discrete, specific any action taken or refrained from as a result of programme and a series of events held around
occurrence, one degree removed from the impact on the organisation or its stakeholders. information contained in this report or any reports
the world.
or sources of information referred to herein, or for
any consequential, special or similar damages even if
• Impact: The risk event can have direct and/or indirect impact on an organisation advised of the possibility of such damages. This report We not only support individual organisations
and its stakeholders. Multiple impacts can be assigned to a risk event. may not be sold without the written consent of Oliver
to assess their vulnerability to losses, but we
Wyman and ORX.
ORX and Oliver Wyman have prepared this report
also shape industry-wide development of best
with care and attention. ORX and Oliver Wyman do practice.
not accept responsibility for any errors or omissions
Figure 1. Bow Tie Method within this report. ORX and Oliver Wyman do not ORX is owned and managed by over 95 financial
warrant the accuracy of the advice, statement or
recommendations in this report. ORX and Oliver firms from all over the world. As a not-for-profit
The “bow tie” method is used to ensure that only such events are captured by the taxonomy which Wyman shall not be liable for any loss, expense, organisation, we invest all income back into
plausibly lead to a direct impact. damage or claim arising from this report. The content
of this report does not itself constitute a contractual providing high-quality benefits for operational
agreement, and ORX and Oliver Wyman accept and non-financial risk professionals. This
no obligation associated with this report except as
expressly agreed in writing.
ultimately helps develop the future direction of
• Preventative or detective controls may be used to • Specific controls may be used to mitigate
the discipline.
The public summary of the ORX Reference Taxonomy
prevent root causes from leading to a risk event the impact of a realised risk event (copyright ORX 2019) is freely available for all
financial organisations to benefit from. The more
• Cause identification may help define appropriate controls detailed ORX Reference Taxonomy and guidance
is provided free of charge to all ORX members. It is
available to other financial organisations – please
About Oliver Wyman
contact communications@orx.org for further details. Oliver Wyman is a global leader in management
E.g. Leverage cloud services to improve bandwidth E.g. Crisis Management response following Commercial use of the both the summary and
and deter attacks event with reputational damage detailed ORX Reference Taxonomy by consultants consulting that combines deep industry
or other firms for any financial gain is not permitted knowledge with specialised expertise in strategy,
without express permission from ORX and will incur
a charge. operations, risk management, and organisation
transformation.

For more information please contact the

marketing department by email at
Controls
Controls info-FS@oliverwyman.com or by phone at
Risk to reduce one of the following locations:
Causes to prevent events impact of Impacts
causes consequences AMERICAS 1 212 541 8100

EMEA 44 20 7333 8333

ASIA PACIFIC 65 6510 9700

• A cause gives rise to an event • Discrete, specific • Specific outcome of the event
occurrence that has an
• Defined in terms of the underlying impact on the institution • Can be financial, regulatory, legal,
causes i.e. the environment or reputational, must be measured in
that allows risks to develop • Used as unique identifier a consistent way to allow comparison
• Multiple causes can be • Risk event needs to have • Multiple impacts can be
mapped to an event immediate impact mapped to a single event
ORX would like to thank all members who
provided their taxonomies, and particularly
E.g. IT systems are antiquated E.g. Firm website is taken down by E.g. Firm reputation as being secure
encouraging external fraud a denial of service attack (DDoS) is tarnished following the attack
those who were part of the member
advisory group.
16 Taxonomy summary report