What's wrong with our Risk Management Policies?

"Without clearly defined objectives ... there is arguably no business case to justify resources in support of risk management activities."

It should be no surprise that a clear, well written risk management policy is an essential part of any risk management framework. It establishes the foundation and mandate for implementing risk management within an organization.   Ideally, it should be a succinct document reflecting the context of the organization and written in a style which can be easily understood and applied.

If you cover just 9 simple points you'll end up with a great Risk Management Policy. I guarantee it. Consider this if you will, the dummies guide to risk management policies (or for any management policy for that matter):

1. Policy – what is the course, principle action or commitment adopted by the organization?
2. Philosophy – what are the attitudes and beliefs that will guide decision making and behaviors?
3. Objectives – what are the objectives and rationale of the policy? What does it hope to achieve?
4. Business Planning – how does risk management link to other business processes and corporate objectives?
5. Application – how will it be applied? What framework or approach will the organization adopt? (Eg: ISO31000, COSO, internal corporate standards, etc). To what extent does the policy apply?
6. Performance – how will the organization measure achievement of the objectives outlined in the Policy (Eg: Internal audit, external audit, insurance premiums, etc)
7. Acceptance Criteria – what is the organizations risk attitude or risk tolerance? The policy should offer guidance on what may be regarded as acceptable risk. 
8. Documentation – how and when will the risk management activities and processes be documented?
9. Responsibilities – who is responsible and what are they responsible for? 

This might sound like a lot of information to cover, but I'll go out on a limb and say that all this can be fitted into a one-page document. Remember, we're not writing a 50 page national healthcare policy, nor are we going to commit the sin of confusing policy with procedure - Policies and Procedures are two very different beasts. If you want to put both in one document, that's up to you but I suggest you consider the implications of doing so. If you still want to train-smash them together, I recommend that you at least make it clear to the readers which part of the document is the 'why', and which part is the 'how'.

If you follow my advice however, you'll end up with a one page policy document. Any more than that and you've probably included text which more rightly belongs in procedures, strategies, plans or the like.  Just to prove it can be done, here is an example of a one page risk management policy.

The policy should also provide guidance to other questions that impact on risk management performance. For example, the following items might not be addressed within the policy but it should provide guidance as to how or where these elements are addressed:

• Monitoring and Review - what are the requirements for monitoring and reviewing organizational risk management performance?
• Resources - What level of support and expertise is available to assist those responsible for managing risks?

While all of the above elements are important in their own right, and collectively build interlocking pieces of the policy, it is likely that the most important elements to an organization will be (a) the objectives, (b) responsibilities, and (c) documenting the appetite for risk and approach to risk management within the organization.  A good risk management policy also provides a framework for carrying out more detailed risk management programs at project or divisional level.

Defining organizational objectives is another critical part of the risk management process. In building a high performing organization, it’s essential that members of the organization have some fundamental information. In this context that includes a basic understanding of the organization’s decision making processes, the criteria, and level of risk which is acceptable.

Having clearly defined risk management objectives is also crucial as they provide the raison d’être for the policy and risk management practices within the organization.  Without clearly defined objectives for an organizational initiative, there is arguably no business case to justify resources in support of risk management activities.  Last but not least, the risk management policy needs to be incorporated into the organization’s broader management system and to be signed off by the Board or Chief Executive Officer.

===================

A few people have asked me for copies of the policy in MS Word format so I've posted it in Word format as a download at http://www.juliantalbot.com/Downloads.htm You'll also find a template for a supporting procedure there and an article about procedures here on my blog.