I've seen policy documents that were 50 pages long, which is crazy because nobody reads them. They often end up including procedures, details from other activities, and telephone numbers of people to contact. Who has time to update a policy every time the contact person changes?
Policy documents should be succinct.
"A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and is implemented as a procedure or protocol."
My view aligns with this. A policy doesn't include procedures. Procedures are separate documents which are designed to implement or operationalize policy. I've written previously on the contents of a good procedure and posted some downloadable templates.
When you distill it to basics, a policy can be as short as one page. And that a one-page policy is far more likely to be read, comprehended, and applied than a multi-page document. The necessary basics are not that complicated. For example, the following headings can cover the requirements of the Wikipedia definition:
In practice, it might look like the following.
Juliantalbot.com Risk Management Policy
We are committed to a systematic and comprehensive approach to the effective management of potential opportunities and adverse effects by achieving best practice in risk management.
JulianTalbot.com embraces intelligent risk-taking and recognizes that risks can have both positive and negative consequences.
Risk management helps us achieve our objectives, operate effectively and efficiently, protect our people and assets, make informed decisions, and comply with applicable laws and regulations.
Risk Management will be fully integrated with corporate processes at all levels to ensure it is considered in the normal course of business activities.
A formal Risk Management Strategy will be developed each year, which directly and demonstrably supports corporate objectives. It will be implemented with the sustained involvement of all levels of the organization via adequately resourced plans with measurable timelines and objectives. Our systems are aligned with ISO31000:2009 Risk Management Standard and supported by an ongoing program of education and training.
The success of our risk management will be measured by its impact on our corporate objectives, by audits, annual risk management review, the ongoing collection of risk data and the evaluation of risk models.
High, Extreme, and/or Strategic risks are controlled through senior management action with documented treatment strategies assigned. Medium risks are assigned specific management responsibility, while Low risks are managed through routine procedures.
Each stage of the risk management process is appropriately documented, particularly decisions and risk treatments. Individual projects and groups maintain risk registers, while enterprise risks are recorded in the strategic risk database.
Risk management is a core business skill and an integral part of day-to-day activity. As individuals, we all play our part in managing risk, and staff at all levels are responsible for understanding and implementing risk management systems in their workplace.
Managers and leaders at all levels are responsible for applying agreed risk management policy, guidelines, and strategies in their area of responsibility and are expected to ensure risk management is fully integrated with and considered in the normal course of activities at all levels. Visible commitment requires active participation in risk management processes, effective resource allocation, and making ‘risk’ the first agenda item at all meetings.
Divisional Managers are responsible for reporting the progress of risks and treatment plans to the Risk Management Steering Committee every month, reporting strategic or Extreme risks in a timely fashion, driving the implementation of the Risk Management Framework, and ensuring that managers are equipped with the necessary skills, guidance, and tools
The Chief Risk Officer (CRO) is responsible for development, coordination, and promulgation of the Risk Management Framework. This includes developing training programs and implementing management systems that are capable of identifying, monitoring, and reporting documented, new or emerging risks. The CRO is also responsible for the review of the Risk Management process, monitoring and reporting key strategic risks.
The CEO is responsible for managing risk across the organization.
Download The Customizable Risk Management Policy Template In MS Word Format