A risk management policy is an important document used to direct your employees on how to manage risks. This is a ‘tone-from-the-top’ document that plays a foundational role in establishing your risk culture.
When is a Risk Management Policy Needed?
There are several reasons why you would issue a risk management policy for your organization. This could be due to the risk’s significance in the organization, a regulatory requirement, and or its specialized risk management requirements.
When you developed your risk taxonomy you identified your top-level risk categories such as strategic, operational, and financial risks. As these are the top risk categories in your organization, I recommend that you create a policy that addresses each of these categories given their importance. If the content and policy owner are similar, you can choose to combine the policies in an effort to limit the number of policies to be approved.
You may also be required to issue a risk management policy to comply with regulatory requirements regardless of whether it is one of the top-level risk categories you identified. Perhaps you have IT standards that you want to meet, which dictate the need for a specified risk management policy for example. Refer to your local regulatory body for guidance.
ADVERTISEMENT
Another compelling reason is if you identified a risk category that has specialized risk management requirements that are in addition to your requirements for the high-level category it sits under. Review your level 2 or 3 risk categories for relevance.
Risk Management Policy Level of Detail
Risk management policies are ‘tone-from-the-top’ documents that play a foundational role in embedding your risk culture. Therefore, your risk management policies should be issued from the highest level in the organization, such as your Board of Directors. Accordingly, they should strike the right balance when it comes to level of detail.
Your policies should be informative enough to allow your employees to carry out the stated directives. For this reason, it is helpful to convey ‘principle-based’ messages, which capture the summarization of risk management expectations. Within each principle, details surrounding and the roles and responsibilities with respect to carrying out the principle statement should be defined. Provide enough detail to avoid misunderstandings or unclear messaging. But keep in mind, your policy is not intended to explain how your policy principles are to be implemented. Procedures linked to the policy serve that purpose.
What Should a Risk Management Policy Contain?
Your risk management policy is intended to direct the reader on the expectations for managing the applicable risk. Therefore, introductory information that set up the document before jumping into the core content is always helpful. This could be details such as the policy purpose, regulatory basis, scope, approval, applicability, and key terminology. However, your principle statements represent the main body of the policy.
Core Risk Management Principles
Your principle statements represent the heart of your policy. At a minimum, your risk management policies should address the following principles for the risk category:
- The expectations for identification, assessment, and management of risks
- The expectation for managing risks associated with changes
- The expectation for when risks, events, and breaches are reported on and escalated
- Expectations with respect to business resiliency (for operational risks)
You may also want to include principle-based expectations in support of enforcing your risk culture. For example, compliance with laws and regulations and/or providing proper training and implementation guidance for managing the risk are highly recommended principle statement considerations.
ADVERTISEMENT
Policy Ownership
As mentioned earlier, your risk management policy should be approved by the highest level of the organization, e.g., the Board of Directors. Meanwhile, it should be owned by an individual within the company that has appropriate authority and knowledge of managing the risk. This could be a member of the Executive Committee. This person will ensure that the policy is kept up to date and approved timely, and that procedures and appropriate training are put in place to support and live up to its implementation.
