Organizations need to build a robust Enterprise Risk Management (ERM) framework or risk taxonomy
, which provides a holistic view of all information and relationships across the organization. Taxonomy structures and preserves the integrity of information, so as changes occur in multiple parts of the organization, managers can compare risks on an 'apples to apples' basis and connect the dots between business areas. It is the critical foundation of your ERM program and any enterprise risk management (ERM) software
As I described in my last blog
, the first step to building a risk taxonomy is identifying your organizations core business processes
to create accountability and focus on business value.
The next step in building a risk taxonomy is to enable better resource allocation
by the naming and categorizing of all the key people, systems, and vendor products and services used by these business processes.
To make effective Enterprise Risk Management (ERM) simple and practical, you need to take complex material, break it down, and make it accessible for anyone in your organization. To do this, information should be organized by resource rather than by use or department, and organizations need to create a holistic profile for each critical resource in your enterprise.
By resources, we mean people and vendors and the physical assets, software applications, services and data repositories used in the organization. Everyone knows something about the relationships and data around these resources, but no one knows everything. The challenge is how to get everyone to contribute their "piece".
A risk taxonomy, provides a structure for information and ownership, by breaking down complex interconnected information into resources as basic building blocks. This enables everyone to understand and contribute their piece and take ownership for change management. These standardized building blocks become a library to be shared across all business areas and reduces unnecessary duplication and overlap.
The relationships between the resources and the business processes that use them should be explicit as this determines business impact. The more clear the understanding of business impact, the more effective the governance activity will be. The connection to a business process provides a direct connection to the subject matter expert for the activity that uses the resource and knows the criticality of that resource to their activity.
The result is the identification of critical business processes based on a score that includes these key supply chain and infrastructure dependencies. Control and mitigation activities
can then be organized within the business processes in which they operate and are connected to the resources they depend upon to complete this circle.
A common shared infrastructure, or risk taxonomy, is necessary to support risk management information across an entire enterprise. Through this approach, organizations will see the benefits of eliminating redundant work on assessments, controls and testing
while reducing risk at the same time.
The next steps in building a risk taxonomy is standardizing risk assessment template criteria for these resources and processes, consolidating data collection, and understanding cross-silo dependencies.