Risk Taxonomy as Governance Infrastructure: Adaptation, Traceability and Industry-led Use Cases for Fintech Innovation

Risk taxonomies in financial services are often presented as stable classification models: a hierarchy of principal risks that supports aggregation, governance oversight, and regulatory reporting. This paper argues that such a view is incomplete. In practice, a risk taxonomy is a governance infrastructure shared across stakeholder communities, including firms, supervisors, regulators, and the risk profession. Its value depends on traceability.

By traceability, we mean the practical ability to track and explain how risk categories, data, judgments, mapping rules, and mitigations are defined, applied, changed, and communicated within and beyond an organisation. Traceability matters because the quality of risk management is rarely observable in real time. Weaknesses may only become visible much later as business performance outcomes, operational incidents, or supervisory concerns, at which point feedback is costly, and remediation may be too late for firms and the wider system.

For CFO and related decision-makers, the central issue is not whether a taxonomy contains the right high-level categories (which tend to be stable across major firms), but whether the organisation can operate the taxonomy reliably: govern changes, manage mappings and aggregation, and produce assurance-grade evidence that connects categories to decisions and outcomes

Conceptually, we position risk taxonomy as a boundary object: a shared artefact that different communities can use for their own purposes while recognising it as “the same thing.” A taxonomy must be robust enough to maintain comparability across firms and reporting regimes, yet flexible enough to adapt to local realities: portfolio differences, organisational structure, data maturity, and changes in technology and competition. This predictable tension does not imply failure; it highlights that the taxonomy is doing coordination work across communities. The design challenge is to make this coordination auditable.

Empirically, we review risk management disclosures in the annual reports of three large UK banks over 2022–2024. We code for risk categories, implied hierarchies, grouping logic, and signals of year-on-year change. We observe strong stability at the top level (credit, market, liquidity/capital, operational, conduct, financial crime, model risk and climate-related risk as recurring themes), with change occurring mainly through shifting emphasis, greater granularity, and increased attention to non-financial and resilience-related risks. The implication is that innovation opportunities are less about reinventing categories and more about strengthening the socio-technical system around the taxonomy: data lineage, mapping logic, change control, governance workflows, assurance, and explainability, including for data-sparse or emerging risks where judgement and scenario processes play a larger role.

The paper’s contribution is a proposal for industry-led use cases, as a portfolio of well-specified problem statements that large financial services firms can publish to invite targeted innovation from fintechs. Each use case is designed to be procurement-ready and assurance-aware. The portfolio is organised by decision ownership, minimum data inputs, workflow controls (audit trail, segregation of duties, approvals), outputs (MI, reporting support, evidence packs), and success measures (time and cost saved, reduction in reconciliation burden, fewer classification disputes, improved supervisory confidence).

We conclude with implications for the UK supervisor. Rather than advocating new rules, we propose that supervisory engagement can be strengthened by encouraging firms to set expectations for traceability-by-design around taxonomies. By this, we mean controlled change, transparent mapping between internal granularity and external reporting, auditable lineage from source data to risk decisions, and explicit governance of data-sparse risks., including scenarios, assumptions logs, and review cycles. These steps can reduce reporting friction while improving the credibility of risk disclosures and the resilience of firms and the system.

About FRIL

The project is part of the Glasgow City Region Innovation Accelerator programme, funded through Innovate UK on behalf of UK Research and Innovation. The Innovation Accelerator programme is investing £130 million in 26 transformative R&D projects to accelerate the growth of three high-potential innovation clusters, including the Glasgow City Region.

Read more