Governance Frameworks
Navigating the Web of Interconnected Risks
February 25, 20266 min read
Operational, technology, third-party, and conduct risks no longer move independently. The institutions managing them well are the ones that connect their governance frameworks rather than running them in parallel silos.
Adapted from a piece originally published on LinkedIn. Full editorial version pending review.
Risk taxonomies were designed when each risk type had relatively independent root causes and mitigations. That world is gone. A vendor outage is operational risk, technology risk, and third-party risk simultaneously. A model failure is technology risk, model risk, and potentially conduct risk. The taxonomy is still useful. Treating it as a set of silos is not.
What interconnection actually means
Two practical implications. First, risk identification needs to ask whose other taxonomies are touched. Second, mitigation needs to be tested across boundaries: a control that mitigates operational risk can fail in a way that creates conduct risk.
Governance designs that hold up
The institutions doing this well share three patterns. They have a single risk register that supports multiple lenses rather than separate registers per risk type. They have explicit cross-taxonomy escalation paths. And their second line challenges across boundaries, not just within them.
The exam dimension
Examiners are starting to probe these connections. They will ask how a third-party finding flows into operational risk metrics, or how a model risk issue shows up in conduct risk reporting. Institutions that can answer have done the integration work upstream.
Back to all insights