Developing a Risk Management Policy

[Admin]

An organisation’s risk management policy should be a high-level document which outlines the organisation’s approach to risk management and sets the risk management program firmly within the management structures of the organisation. According to section 4.3.2 of ISO 31000:2009, the risk management policy should contain:
• the organisation’s rationale for managing risk;

• links between the organisation’s objectives and policies and the risk management policy;

• accountabilities and responsibilities for managing risk;

• the way in which conflicting interests are dealt with;

• commitment to make the necessary resources available to assist those accountable and responsible for managing risk;

• the way in which risk management performance will be measured and reported; and

• commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances.

In short, the risk management policy provides a guide for managing risk within the organisation and it is closely aligned with the overall management of the organisation.

Key issues that the risk management policy should address include:
• the purpose of the risk management program and its aims—objectives, philosophy, culture and structure of the organisation should be clearly reflected in, and totally supported by, the risk management program

• ensuring the risk management program is embedded within the organisation’s management systems

• the scope and parameters of the risk management program—that is,which risk exposures will be managed within which parts of the organisation

• the organisation’s tolerance or appetite for exposure to risks

• ensuring clearly designated responsibility, accountability and authority for specific areas of the risk management program and the overall risk management program is established from the outset—this includes performance measurements and reporting processes and accountabilities

• resources required to implement and maintain the risk management program—this includes the people, skills, information systems and financial resources required

• clear documentation and communication of the risk management process and overall program (including the risk management policy) to all stakeholders

• regular monitoring and review of the implementation and maintenance of risk management initiatives.
Implementing risk management is a difficult task and for it to be successful it’s critical that a well drafted policy is produced and that the implementation has the support, commitment and sponsorship of senior management.
When the risk management policy has been crafted, it should be communicated to all stakeholders to ensure they are all working from the same ‘game plan’.