Guide to Risk Taxonomies

Table of Contents

• 1.0 Introduction
  • 1.1 Developing A Risk Taxonomy
  • 1.2 Using A Risk Taxonomy
  • 1.3 Links To Other Guides and Tools
• 2.0 Categorizing Risks
• Appendix A: Definitions & Examples

1.0 Introduction

A risk taxonomy is a comprehensive, common and stable set of risk categories that is used within an organization.

• By providing a comprehensive set of risk categories, it encourages those involved in risk identification to consider all types of risks that could affect the organization's objectives.
• By providing a common set of risk categories, it facilitates the aggregation of risks from across the organization.
• By providing a stable set of risk categories, it facilitates comparative analysis of an organization's risks over time.

This document includes considerations for departments and agencies with respect to developing and using a risk taxonomy. It outlines an approach to categorizing and aggregating risks that may be tailored to the specific needs of an organization.

It should be noted that a risk taxonomy is not a mandatory component of an integrated risk management approach. However, using a risk taxonomy can help to strengthen and better integrate an organization's risk management approach, given the benefits outlined above.

2.0 Categorizing Risks

This section provides a list of potential risk categories and a brief description of the types of risks, both threats and opportunities, which could fall under each category. As outlined in section 1, it is expected that organizations would selectively use these categories in identifying and aggregating their risks and may adapt the categories to their own needs.

Business processes

Threats and opportunities associated with business process design or implementation.

Capital infrastructure

Threats and opportunities associated with an organization's capital infrastructure including hard assets (e.g., buildings, vessels, scientific equipment, fleet), but excluding IT.

Communications

Threats and opportunities associated with an organization's approach and culture of communication, consultation, transparency and information-sharing, both within and outside the organization.

Conflict of interest

Threats and opportunities associated with perceived or potential conflicts between private and public interests.

Financial management

Threats and opportunities associated with the structures and processes of an organization to ensure sound management of financial resources and its compliance with financial management policies and standards.

Governance and strategic direction

Threats and opportunities associated with an organization's approach to leadership, decision-making and management capacity.

Human resources management

Threats and opportunities associated with staff/management turnover; employment/work culture; recruitment, retention and staffing processes and practices; succession planning and talent management; and employee development, training and capacity building.

Information management

Threats and opportunities associated with an organization's capacity and sustainability of information management procedures and practices.

Information technology

Threats and opportunities associated with an organization's capacity and sustainability of information technology, both the infrastructure and utilization of technological applications.

Knowledge management

Threats and opportunities associated with an organization's collection and management of knowledge, including intellectual property, organizational or operational information and records, and scientific data.

Legal

Threats and opportunities associated with an organization's management of its legislative, advisory and litigation activities, including the development and renewal of, and compliance with, laws, regulations, international treaties / agreements and policies.

Organizational transformation and change management

Threats and opportunities associated with significant structural or behavioural change within an organization related to mandate, operating context, leadership and strategic direction.

Policy development and implementation

Threats and opportunities associated with an organization's design, implementation and compliance with the government-wide policy suite as well as its own internal policies and procedures.

Privacy / Information stewardship

Threats and opportunities associated with an organization's protection of intellectual property and personal information.

Program design and delivery

Threats and opportunities associated with an organization's design and delivery of specific programs, which may impact the organization's overall objectives.

Project management

Threats and opportunities associated with an organization's process and practice of developing and managing major projects in support of its overall mandate, as well as risks associated with specific projects that may require ongoing management.

Political

Threats and opportunities associated with the political climate and operating context of an organization.

Reputational

Threats and opportunities associated with an organization's reputation and credibility with its partners, stakeholders and the Canadian public.

Resource management

Threats and opportunities associated with the availability and level of resources of an organization to deliver on its mandate, as well as the organization's management of these resources.

Stakeholders and partnerships

Threats and opportunities associated with an organization's partners and stakeholder demographics, characteristics and activities.

Values and ethics

Threats and opportunities associated with an organization's culture and capacity to adhere to the spirit and intent of the Values and Ethics Code for the Public Service.

Appendix A: Definitions & Examples

Risk

Risk is defined as the effect of uncertainty on objectives. It is important to note that risk can be characterized as a negative uncertainty, commonly referred to as a threat, as well as a positive uncertainty, commonly referred to as an opportunity.

Risk category

A risk category is a type of risk that is sufficiently generic that it can be used to identify and aggregate risks from various parts of the organization. See section 2 for examples.

Risk event and risk impact

A risk event is a situation with the potential to affect the achievement of an organization's objectives. A risk event may be positive or negative – in other words, it may be a threat or an opportunity.

A risk impact is the potential effect of a risk event. As with a risk event, a risk impact may be positive or negative.

An example of a negative risk event (or threat): "The organization may not be able to maintain the current number of staff in scientific job categories."

An example of a negative risk impact: "Inability to meet the organization's research targets."

An example of a positive risk event (or opportunity): "The organization may be able to promote its innovative approaches at an upcoming international conference."

An example of a positive risk impact: "Enhanced ability to develop international partnerships."

Driver

A driver is an internal or external circumstance that is contributing to (or "driving") a risk. Drivers are often identified through environmental scans.

It is common for organizations to confuse drivers and risks. In particular, organizations sometimes refer to certain external circumstances (e.g., social, economic, etc.) as "external risks", when in fact they are drivers. To distinguish the two concepts, it is helpful for an organization to consider why the external circumstance challenges the organization, or why it presents an opportunity for the organization.

As an example, an organization might determine that the aging Canadian population is a driver that is contributing to an increase in the number of applications and persons eligible for a particular program and therefore contributing to the risk that the organization may not be able to meet the anticipated increase in program delivery demands.