Enterprise risk management (ERM) policy is the second key lever that boards should consider adopting in their risk management oversight. I covered risk governance in last week’s post and will cover the third lever – assurance – next week.
While risk governance provides the organization for risk management and oversight, the board needs an instrument for communicating its expectations and requirements. Board-approved risk policies represent a critical tool in this regard. As shown in the table, management’s responsibility is to develop and execute risk management policies. The board’s role is to approve the policies and monitor ongoing compliance and exceptions. Common issues related to risk policies include:
- Absence of explicit limits or tolerance levels for key risks.
- Lack of standards across different policies for various risks including enterprise risk, credit risk, market risk and operational risk.
- Insufficient reporting and monitoring of policy exceptions and resolutions.
- Key policy components are missing or obscured by detailed procedures.
To establish effective risk policies and address the above issues, the board should communicate its expectations and standards with respect to risk policy structure and content. For example, an ERM policy may include the following components:
The executive summary provides a concise description of the purpose, scope, and objectives for ERM. It may also provide a high-level summary of the key risk limits and risk-tolerance levels.
The statement of risk philosophy discusses the overall approach to risk management. It should also include guiding risk principles that articulate the desired risk culture of the organization.
The governance structure section summarizes board committees and charters, management committees and charters, and roles and responsibilities. Moreover, the delegation of authority, including risk management and oversight responsibilities for key individuals, should be documented.
Risk-tolerance levels provide a statement of risk appetite, including specific limits or tolerance levels for critical risk exposures, and exception management and reporting requirements.
The risk framework and processes section summarizes the ERM framework, as well as key processes and specific requirements for overall risk management.
The risk policy standards section itemizes standards for all other risks so that the structure and content of risk policies are consistent across the organization.
Risk categories and definitions are the taxonomy for commonly used risk terms and concepts, facilitating a common language for risk discussions.
While its role is to approve and monitor risk policies, the board should actively discuss (if not debate) the risk limits or risk-tolerance levels that are appropriate for the organization, including the risk/return trade-offs at various risk appetite levels.
The linkage between risk management and compensation policies should also be a top board issue. As one board member remarked, “People don’t do what you tell them to do; they do what you pay them to do.” As such, the board should ensure that risk management performance is considered in a meaningful way (for example, a 20 percent weighting or more) in executive management performance evaluations and incentives. The criteria may be specific risk management goals or an ERM scorecard that includes various quantitative and qualitative indicators. By incorporating ERM into executive management incentives, the board can have a far-reaching impact not only on management actions, but also on the incentives and actions of all employees.
The next and final post in this series will cover assurance processes. We’ll talk about performance metrics and transparency – an often talked about, but rarely covered topic today. For now, please talk with me about this question: With the recent changes in regulatory reporting requirements, do you think that there is a greater need for the board to adopt and document risk policy?
*Originally published by The RMA Journal in April 2010. Copyright 2010 by RMA. The Risk Management Association (“RMA”).Edited for length and republished here by permission.
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,600 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the association by more than 18,000 risk management professionals who are chapter members in financial centers throughout North America, Europe and Asia/Pacific.