CRIC taxonomy explained

Your path to better risk management

Contact our experts

Original content provided by 

BDO Belgium

A CRIC taxonomy refers to the categorisation of Causes, Risks, Controls and Impacts before deploying your risk management framework. This structured approach helps you to pinpoint your risk assessment and categorise your events properly.  

In this third article of our BDO Risk Blueprint series, you will read more about what CRIC stands for, the different taxonomies and how they can help you build a more risk-resilient business.

Discover our other risk video's

The foundation: understanding CRIC taxonomy 

When you examine the risks faced by your organisation, it is crucial to understand that these do not exist in isolation. Every risk has a cause that triggers it, an impact that affects your business, and controls that can help mitigate it. This interconnected view helps you move from simply identifying risks to actively managing them. 

Creating an effective risk taxonomy 

Your risk taxonomy needs to work specifically for you, but what makes it truly effective? 

First, it must be relevant to your organisation's unique risk profile and exposure. Just as every business has its own strengths, each company faces different challenges and risks. Second, your taxonomy should follow the MECE principle – Mutually Exclusive and Collectively Exhaustive. In practice, these create a comprehensive yet clear-cut classification system:  

  • Mutually Exclusive: each element belongs to one category only, you should not have the same label both as a risk and an impact, make sure there is no overlap across the four categories 
  • Collectively Exhaustive: ensuring all possible causes, risks, controls and impacts find a home in your categories

A practical tip from industry experience: focus your reporting up to the second level of categorisation. This approach provides enough detail to be actionable without becoming overwhelming. You can then tailor more specific details at the third level for your needs. 

The taxonomy also highlights the importance of causes and controls. They form the basis for your leading Key Risk Indicators

CRIC Taxonomy and architecture

The evolution of risk categories

Risk management has evolved significantly over the past years. The seven best-known and most common categories for the financial services industry were defined by the Basel Committee. However, as these were set up more than 25 years ago, ORX (Operational Risk data Exchange) defined a new operational risk taxonomy for the financial services industry in 2019.

This new categorisation better reflects the incidents that occur in the financial industry, as it is based on an analysis of half a million data points from banks and insurance companies. Three distinct pools of risks emerged from their analysis:  

  1. Elevated Risks (shown in yellow in their framework)*:  

    • These were previously second-tier concerns that now demand primary attention. 

    • Examples include third-party risk management, data management, and business continuity.

    • Their promotion to top-level status reflects our changing business environment.

  1. Traditional Basel Risks (shown in blue)*:  

    • These maintain a one-to-one correspondence with original categories.

    • They remain fundamental to risk management.

  1. Granularised Client and Business Practices Risks*: 
    • This represents a more detailed breakdown of CBPB (Client, Product, and Business Practices).
    • Includes separate categories for legal compliance and financial compliance.

*Visual on slide 6 in the presentation

Impact taxonomy

This taxonomy is categorised based on severity rating and key impact categories. These directly feed into your risk assessment matrix, creating a one-to-one relationship between your impact taxonomy and risk evaluation process. 
The key impact categories are: 

  • Financial impact 
  • Service delivery and continuity 
  • Customer detriment & reputation damage 
  • Regulatory consequences 

Impact Taxonomy: aligned with the heatmap

Cause taxonomy: the PPSE framework

When analysing your risk causes, the PPSE framework provides a comprehensive structure: 

  • People: looking at resource management, competence levels, and engagement 
  • Process: examining operational procedures and workflows 
  • System: evaluating technical infrastructure and capabilities 
  • External events: using PESTLE acronym (Political, Economic, Social, Technological, Legal, and Environmental factors) 

Examples of causes taxonomy: level 1 & 2 - PPSE

Control taxonomy: your risk management toolbox

Controls in your taxonomy should align with the Institute of Internal Auditors' categories. 
These are very clear segmentations:

  • Preventive controls: stop issues before they occur 
  • Directive controls: guide proper execution 
  • Detective controls: identify issues when they happen 
  • Corrective controls: address problems after detection 

Control Taxonomy: Concise examples

Interested to further explore your taxonomy?

Download our CRIC template

CRIC taxonomy for a tier 2 retail bank

Read our case study

What is important to keep in mind is: your control taxonomy does not necessarily need 250 entries. 
With a high level of detail in terms of categorisation, you can reach the same amount of monitored control. 

Your risk taxonomy should evolve with your organisation. Plan to review and update it annually, incorporating: 

  • Findings from your Risk and Control Self-Assessment (RCA) 
  • Lessons learned from incidents 
  • Changes in your business environment 
  • New challenges and opportunities
Remember, the goal is not just to document risks – it is to create an actionable framework that helps you manage them effectively. By maintaining this dynamic approach, you build a more resilient organisation that is better prepared for future challenges.
Ariane ChapelleBDO Risk management

Want to take the next step in strengthening your risk management?

Let's explore how we can help you develop a taxonomy that works for your specific needs and goals.