When you’re building a regulated institution, risk management is never an “add-on”. It quickly becomes one of the dominant threads running through strategy, operations, governance, and day-to-day decision making. You’re not just documenting risks for a regulator—you’re shaping how the organisation behaves.
That emphasis becomes even more pronounced for brand new Financial Market Infrastructures (FMIs) operating in environments like the Digital Securities Sandbox. In that context, expectations around controls, oversight, and evidence are high from the start. And on top of the formal requirements sits something both more subtle and more important: embedding a risk culture.
A real risk culture means the organisational “default behaviour” takes risk into account—especially when trade-offs are made. Where do we spend budget? What do we hire for first? What gets deprioritised? In a healthy risk culture, those choices naturally reflect the risks the organisation faces and the impact if they materialise.
The risk register is the heart of the system
At the centre of any risk management system sits the risk register. Done well, it becomes the trunk of the tree that everything else branches from:
- controls
- key risk indicators (KRIs)
- risk appetite statements
- policies, procedures, and testing
- reporting and governance packs
If the risk register is unclear or inconsistent, everything built on top of it becomes harder: governance becomes noisy, control mapping becomes messy, and stakeholders stop trusting what they’re looking at.
From working with a couple of FMIs, one theme comes up again and again: the best risk registers aren’t flat lists. They’re structured in a way that makes them understandable to every stakeholder who needs to use them—from the Board, to senior management, to the first line teams actually managing risks, to the second line monitoring them.
Why a flat list breaks down (fast)
A register has to cover a wide range of risk types, often side by side:
- product risk (e.g., the product fails in-market)
- operational risk (e.g., critical systems fail)
- compliance risk (e.g., regulatory obligations aren’t met)
- governance and conduct risk
- financial risk
When all of that sits in a single long list, it becomes difficult to:
- navigate quickly
- report at the right level for different audiences
- standardise language
- assign ownership cleanly
- roll up assessments into meaningful board-level views
That’s where a risk taxonomy—a tree structure—earns its keep.
The taxonomy approach: one register, multiple “views”
Instead of a flat list, a taxonomy organises risks in a hierarchy. In RegDefy, this can be implemented as a five-level tree:
- Level 0 (L0): broad risk domains
- Level 1 (L1): major risk areas (board-friendly)
- Level 2 (L2): specific management areas (senior management/OpCo-friendly)
- Level 3 (L3): the risks themselves (where assessment and first-line management happens)
- Level 4 (L4): optional sub-registers for deep granularity where regulators/CROs need it
The real power of this structure isn’t the hierarchy for its own sake—it’s what it enables: consistent language, clear ownership, and the ability to communicate the same underlying risk information at different levels of detail depending on who’s reading.
Let’s look at each level in turn.
Level 0: anchoring risk in industry-standard concepts
L0 statements are the broad domains of risk every organisation recognises. In practice, they tend to be similar across firms, and act as anchors rather than working tools.
A common set is:
- Operational
- Financial
- Governance
- Business
Because these are so broad, you don’t “manage” risks at L0. But they help standardise the overall map of risk across the organisation, and ground your framework in language that regulators, auditors, and experienced board members intuitively understand.
Each L0 contains a set of L1s.
Level 1: the board’s map of the risk landscape
Your L1s are where the taxonomy starts to become operationally meaningful.
Best practice sizing: ideally 5 to 15 L1s in total.
That range matters: it’s roughly the amount of information a board can usefully hold and discuss without the conversation becoming either too abstract or too detailed.
The purpose of L1s is simple: they’re how you divide up the risk landscape for the Board.
Example:
- Under Operational (L0), an L1 could be People.
In RegDefy-style implementations, this is also a natural level to attach governance artefacts such as:
- policies that set expectations across a major area
- metrics/KRIs to measure risk performance consistently
- risk appetite (often handed down by the board), expressed both qualitatively and quantitatively
That’s a subtle but important point: setting appetite at the same level you report to the board reduces the “translation layer” risk teams often end up doing manually.
Each L1 contains a set of L2s.
Level 2: where senior management can actually run the business
L2s break L1s down into specific, manageable areas.
Best practice sizing: up to 50 L2s, or roughly 3–4 per L1 (very roughly—organisations differ).
The goal of L2s is to give senior management (and your OpCo) a risk structure that is:
- granular enough to manage
- not so granular that it becomes overwhelming
Example:
- Under People (L1), an L2 could be Resourcing.
At this level it often becomes useful to assign ownership for the whole category—e.g., the HR lead or COO function owner—so accountability is naturally federated rather than centralised in risk.
In RegDefy, that owner can be optionally set at the L2 level, which makes downstream ownership and reporting cleaner.
Each L2 contains a set of L3s.
Level 3: where risks are assessed and actively managed
L3s are the point where you’re no longer categorising risk—you’re describing it.
Best practice sizing: around 100 L3s (again, a guideline, not a rule). A practical reason this works: it’s around the upper bound of what a single senior risk owner (like a CRO) can keep cognitively “in view” without the register turning into noise.
The purpose of L3s is to be where the first line of defence actually manages the risk.
Example:
- Under Resourcing (L2), an L3 could be Insufficient resources to carry out the mission.
This is typically where you:
- set the risk owner (if not already set at L2)
- perform probability and impact assessments
- apply specific controls (often non-policy controls, i.e., operational controls)
- link evidence, actions, and monitoring
A particularly practical feature in RegDefy-style setups is being able to map L3 risks to parts of your operating model (a “digital twin” view of the organisation), so you can represent where the risk arises—systems, processes, teams, third parties, and so on. That makes it easier to see concentration risk and control coverage gaps.
It also enables conservative roll-ups: assessments at L3 can be rolled up to higher levels to create a consistent view of severity across the taxonomy—without the board needing to wade through 100 individual risk statements.
Level 4: optional sub-registers for the areas that demand deep granularity
Even with ~100 L3s, there are categories where regulators (and CROs) often need more detail than a single risk statement can provide.
That’s where L4s, or sub-registers, come in.
This commonly arises in areas like:
- financial crime
- cyber security
- system outage / resilience
A classic example: for system outage risk, you may need an individual risk entry per critical system, with controls and testing evidence specified for each.
L4s let you go “endlessly granular” where required, without forcing the entire register to operate at that depth. Typically, L4 ownership sits with the owner of the parent L3, keeping accountability clear and local.
Why this structure makes risk culture easier—not harder
A taxonomy-based risk register does something deceptively powerful:
- It standardises language
People stop talking past each other. “Resourcing risk” means the same thing in HR, Ops, Risk, and the board pack. - It federates ownership
Risk stops being “the risk team’s job”. Ownership is naturally distributed across the organisation, which is a prerequisite for genuine culture. - It supports different audiences with one source of truth
The board can talk in L1s, senior management can operate at L2, teams can manage at L3, and deep specialists can evidence at L4—without anyone maintaining separate spreadsheets.
That combination—shared language and federated ownership—is what turns “risk management” from a compliance exercise into a living organisational habit.
And this is where tools like RegDefy can quietly make a big difference: by making the taxonomy structure practical to implement, and by letting controls, policies, metrics, appetite, ownership, and roll-ups hang off the right level, you reduce friction. Less time wrestling the register means more time actually managing the risks.
If you’re building a regulated institution (especially a new FMI), investing early in a taxonomy-based risk register isn’t bureaucracy—it’s one of the fastest ways to make risk culture real.
