I think Dilip Krishna and Scott Randall may be talking at cross-purposes. I agree with Scott that the STEEP taxonomy is an excellent starting point assuming that the political element is broad enough to encompass regulatory risks such as anti-money laundering violations.

If I understand Dilip’s point, there often is too much internal organizational overlap in efforts to deal with many of the components of any taxonomy defining the sources of risk. One example of this is the tendency to view meeting the Basel II operational risk requirements as a separate effort from more specific demands such as AML compliance. Most of what is needed for effective anti-money laundering efforts or SOX compliance is the assurance of consistent adherence to a well defined process. As such, these are really specific instances within generic operational risk management and control efforts. Building tools to deal with the generic OpRisk challenge that are sufficiently flexible to support SOX, AML and other efforts requiring disciplined execution makes much more sense than building customized tools for each specific requirement.