What constitutes a good risk taxonomy?
What is a Risk Taxonomy?
There are various formal definitions of risk taxonomies (and we will go over those below), but it might be useful to first look at a very intuitive example of a risk taxonomy: the classification of fire hazards (also known as fire classes)
Everybody knows (or should know!) that the different types of fire (which is the underlying Risk in this context) cannot be treated the same way because they respond in different ways to the substances used to suppress the fire. The fire classes taxonomy captures the essential differences that we need to know for risk management purposes.
First, we see on the left column the broad classification along five categories:
- Combustibles
- Flammable Liquids
- Electrical
- Metals and
- Cooking Oil
The categories or classes capture what is deemed the most critical attribute of a fire hazard: what is actually burning.
The second column of the taxonomy further refines the type of fire, (e.g. Wood, Cloth or Paper for the Combustibles category). This second level provides more concrete and recognizable context about where we might encounter a given type of fire.
The third column addresses what we would formally call the Risk Mitigation options available in each instance: the means by which one can reduce the impact of the fire instance.
While risk mitigation is a very important topic on its own right (and a motivation for the taxonomy) we will not expand in this direction in this post in order to keep the discussion focused.
The Typical Risk Taxonomy Structure
A risk taxonomy is the - typically hierarchical - categorization of risk types. A common approach to structure a taxonomy is to adopt a tree structure, whereby risks higher in the hierarchy are resolved into more specific (granular) manifestations further down.
- The root node of the taxonomy denotes the aggregation of all types of relevant (in-scope) risks to the organization. Here it would be the concept of a fire hazard.
- The child nodes (or leaves of the tree) are more specific manifestations of Risk Type. Child nodes can be thought of as the range of values of a Categorical Variable. The variable fire class ranges over five values. Further, the variable fire type for the combustibles fire class ranges over three values.
- There is a flexible number of taxonomy levels (which need not be the same across the taxonomy). In our example we have only two, but three or more levels are also seen in practice. One could conceive further subdivisions e.g. by specifying wood related fires by the predominant type of wood burning. Whether such granularity is required depends on the context and the practical use of the taxonomy.
- The arrangement of nodes at any given taxonomy level is not pre-ordained and can be a tree or a matrix. In our example a tree structure is natural. When the categorical variables driving the classification allow a matrix structure might be more appropriate. For example when we classify butterflies by color and size we have a case where each butterfly has an attribute of both color and size.
The structure of risk taxonomies and many examples currently used in the financial sector are documented in detail at the Open Risk Manual entries. The Open Risk Taxonomy for risk models aims to support an open source risk models framework. The proposal builds on and extends commonly used risk taxonomies within financial services firms but introduces significant new subcategories.
Elements of a Good Risk Taxonomy
Using our fire hazard example we can now discuss some key attributes of a good taxonomy:
- Comprehensive Coverage: At any level of the hierarchy the totality of risk types must aggregate to the super-type and any risk within the super-type belongs to one of the sub-types. So, put simply, any type of fire must be mapped somewhere. In our example we see that this is largely the case, although it quite possible that chemists or physicists know of exotic types of fire that are not listed (e.g a thermonuclear reaction) because they are deemed not relevant in the context to which the risk taxonomy applied.
- Granularity: The taxonomy has sufficient granularity to distinguish risk types that have their own unique attributes. When deciding granularity there are always decisions and trade-offs. For example in the US Classification, Flammable Liquids and Flammable Gases are treated together, whereas in the EU classification they are treated differently.
- Definitional Clarity: To prevent overlap and ambiguity, at any level of the hierarchy, a risk belongs to one and only one risk type. For example in this taxonomy the overarching attribute that is used to classify the different fire classes is the material that is actually burning. Given materials are generally distinct, the classes are generally distinct, but on occasion some subtlety might enter (For example flammable liquids and cooking oils are both liquids).
- Stability over Time: Risks can be assigned to appropriate risk types in a consistent way over longer time horizons. Fortunately fire hazards do not mutate over time, but we note for example that electrical fires is a 20th century (and later) phenomenon and did not exist before!
While various attributes may characterize a good (useful) risk taxonomy as outlined above, there is no unique taxonomy for a given domain as the aspects chosen to classify risks can be drawn for a very large set. In the fire hazard example the classification dimension is firmly associated with the risk mitigation possibilities (which seems to be a more widely applicable principle). The reason different risks are segmented as they are is because of the vital importance of applying the correct remedy!
Comment
If you want to comment on this post you can do so on Reddit or alternatively at the Open Risk Commons. Please note that you will need a Reddit or Open Risk Commons account respectively to be able to comment!