What's wrong with our Risk Management Policies?
"Without clear objectives ... there is no business case to justify resources for risk management."
It should be no surprise that a clear, well-written risk management policy is an essential part of any risk management framework. It establishes the foundation and mandate for implementing risk management within an organization. Ideally, it should be a succinct document reflecting the organization's context and written in a style that can be easily understood and applied.
If you cover nine simple points, you'll end up with an excellent Risk Management Policy. I guarantee it. Consider this the beginner's guide to risk management policies (or for any management policy for that matter):
Policy – what is the course, principle action, or commitment adopted by the organization?
Philosophy – what are the attitudes and beliefs that will guide decision making and behaviors?
Objectives – what are the objectives and rationale of the Policy? What does it hope to achieve?
Business Planning – how does risk management link to other business processes and corporate objectives?
Application – how will it be applied? What framework or approach will the organization adopt? (Eg: ISO31000, COSO, internal corporate standards, etc.). To what extent does the Policy apply?
Performance – how will the organization measure achievement of the Policy's objectives (Eg: Internal audit, external audit, insurance premiums, etc.)
Acceptance Criteria – what is the organization's risk attitude or risk tolerance? The Policy should offer guidance on what constitutes acceptable risk.
Documentation – how and when will the risk management activities and processes be documented?
Responsibilities – who is responsible, and what are they responsible for?
This might sound like much information to cover, but I'll go out on a limb and say that all this can fit into a one-page document. Remember, we're not writing a 50-page national healthcare policy, nor are we going to commit the sin of confusing Policy with procedure - Policies and Procedures are two very different beasts. If you want to put both in one document, that's up to you, but I suggest you consider the implications of doing so. If you still wish to train-smash them together, I recommend that you make it clear to the readers which part of the document is the 'why,' and which part is the 'how.'
If you follow my advice, however, you'll end up with a one-page policy document. Any more than that, and you've probably included text which more rightly belongs in procedures, strategies, plans, or the like. To prove it is possible, here is an example of a one-page risk management policy.
The Policy should also guide other questions that impact risk management performance. For example, the following items might not be in the Policy, but it should show how or where these elements are addressed:
Monitoring and Review - what are the requirements for monitoring and reviewing organizational risk management performance?
Resources - What level of support and expertise is available to assist those responsible for managing risks?
While all of the above elements are important in their own right and collectively build interlocking pieces of the Policy, essential elements to an organization will likely be (a) the objectives, (b) responsibilities, and (c) documenting the appetite for risk and approach to risk management within the organization. A good risk management policy also provides a framework for carrying out more detailed risk management programs at the project or divisional level.
Defining organizational objectives is another critical part of the risk management process. In building a high performing organization, members of the organization must have some fundamental information. That includes an understanding of the organization's decision-making processes, the criteria, and the acceptable level of risk.
Having clearly defined risk management objectives is also crucial as they provide the raison d’être for the organization's policy and risk management practices. Without clearly defined goals for an organizational initiative, there is arguably no business case to justify resources for risk management activities. Finally, the risk management policy needs to be incorporated into the organization's broader management system and to be signed off by the Board or Chief Executive Officer.
A few people have asked for copies of the Policy in MS Word format, so I've posted it on the DOWNLOADS page under Templates. You'll also find an example of a risk management procedure at that page as well as here.