By Rupert D.E. Brown, CTO Evidology Systems.
The events of the first two decades of the 21st century have made the world’s businesses and general populations far more risk-aware and risk-averse: in this period we’ve seen natural disasters, multiple pandemics, major terrorist events, a major financial crash and, of course, most recently the blocking of the Suez Canal by a single ship that halted a significant proportion of global physical trade for a week.
And yet the systematic evaluation and mitigation of risk remains a challenge, especially outside of complex financial analysis, where the 2008 crash forced a major rethink and improved financial risk measurement and controls across the globe.
In November 2020 ORX and Oliver Wyman Group published a “Reference Taxonomy for Operational and Non-Financial Risk Causes and Impacts”. This short and nattily-formatted 9-page PDF document is a follow-on to their prior joint publication, “The ORX Event Type Reference Taxonomy”.
Alongside these two free items is usage guidance which is available for a fee for each taxonomy.
Although it would be interesting to know how many companies have paid their fee for the guidance, the real question that needs to be asked is whether the taxonomy is actually useful.
This work by ORX and Oliver Wyman is based on what is known as the “Bow Tie” risk evaluation methodology developed in the 1990s to identify factors and chains of events that then lead to catastrophic failures, most notably in aviation and petrochemical industries at that time.
Alongside the “Bow Tie” method interested readers will also find the “Swiss Cheese” model, which in turn has evolved into the more formal notion of “lines of defence”, that is usually summarised as comprising 3 key entities. However, in July 2020 the Institute of Internal Auditors (IIA) recognised that the “3 Lines” model was overly simplistic and had to be augmented with 6 Principles.
When one looks into this world as a neutral outside observer, it is very easy to get lost in a blizzard of rather weak and overloaded terminology – taxonomies, methodologies, frameworks, principles, lines of defence, etc.
Detailed scrutiny of the “Bow Tie” and “Swiss Cheese” models and real examples of their usage show that they are often introductory PowerPoint illustrations to explain the notions of factors, causes and effects in operational risk using visual analogies. The diagrams themselves lack notions of formal dimensions, axes and scales that a rigorous measurement technique demands.
The Covid pandemic, and now the seemingly chaotic manufacture and distribution of vaccines, has surfaced one of the largest collection of interconnected operational risks the world has ever faced and must inevitably result in improving both our skills and toolsets to properly comprehend and manage them.
If we are going to make this improvement, then we need a combination of both rigorous definition and use of terminology, as well as formal, machine-readable digital standards for risk entities.
Probably the two most important are:
- Glossaries/thesauri – i.e., consistent common lists and alternative definitions for the risk items.
- Taxonomies – how the elements in the glossaries are put into collections of “related interest” terms.
The good news is that Sir Tim Berner’s Lee (“Father of the Internet”) has already defined digital standards for this as part of his work on the “Semantic Web”.
The bad news is that Sir Tim’s standards are not widely used outside of academia and are probably declining somewhat in use from the initial interest in them in the early years of the millennium, if the financial results of start-up companies in the field are anything to go by.
The question that now needs to be asked is why organisations such as ORX and Oliver Wyman aren’t publishing and maintaining digital risk/control taxonomies , and nor are regulatory institutions such as the FCA and PRA publishing glossaries that formally define the entities they govern.
There are probably two main reasons for this.
- Ownership and liability – if something is going to be a formal digital risk reference data standard then it costs money to maintain and raises the question of who is responsible if the content is wrong.
- Versioning and distribution – technical standards have existed for some time now to enable rigorous version control of digital assets (aka source code) and global distribution (GitHub etc). However, consulting firms are often wary of using these tools because they are perceived as commoditising their skills and cannibalising margins (how many consultancies have in-house IT these days?)
So what we have been left with is a balkanised collection of websites and pdf brochureware that abuse the terms glossary and taxonomy in a modern digital context, with the result that the notion of “Straight Through Compliance” has become something that everyone waxes lyrical about in virtual conference keynotes, but no one is willing to make the first move.
In order to cut this Gordian Knot, someone is going to have to blink and start publishing content that they own – this would seem to point the finger to regulatory bodies and basic glossaries. At the moment, these institutions tend to promote their technical credentials through the use of sandboxes and hackathons rather than having the confidence to trust their own in-house IT capabilities to construct and maintain substantive new content.
In conclusion, we can now return to the initial question posed about the value of the taxonomy that ORX and Oliver Wyman have published. The answer – as we have seen above – is that it could be useful if it was machine-readable, but that it is one of many, all of which are subject to continuous change. Currently no one is brave enough to industrialise the supply chains and processes that truly digital operational risk and control taxonomies enable.
George Bernard Shaw coined the phrase, “Those that can do, those that can’t teach” – perhaps it sums up the capabilities of the operational risk and compliance market participants at the moment.