Risk Management Framework – Risk Policy

4 mins read

A policy document identifies roles, responsibilities and occasionally the outline of a process to review, set and evaluate limits. It is the source document that drives the behavior of the other seven components of a risk management framework and is generally approved by the Board of Directors and is implemented by a lower layer responsible for execution.

By definition and nature of our businesses, we put capital at risk every day.

Here capital is different from the conventional regulatory reporting sense. Within the context of risk policy capital means that a transaction we execute may lead to the realization of financial loss. Given the nature of our positions and our business, this loss can only be offset by retained earnings or by the capital entrusted to us by our shareholders.

The primary objective of this risk policy is to ensure that while we go ahead and take reasonable risks that are required to generate reasonable returns, whenever we put capital at risk we do it in an objective, documented and transparent fashion. That these risks are taken within pre-approved limits and when these limits are breached, the exceptions are reported and addressed. The objective of risk policy is not to eliminate capital loss, it is to ensure that such losses are put to good use by allowing us to learn from earlier mistakes and improve the chances of avoiding them in the future.

How a risk policy is put together is a question that leads to enormous contention between advisors, consultants and clients.

As an inanimate object one would think that a risk policy document would not lead to such intense, passionate discussion at the drafting stage. A policy document is just a policy document, where are these extreme reactions coming from?

Apparently there are two schools of thought when it comes to crafting policy. The less is more school of thought believes that a policy document should be philosophical in nature and rather than describing all risks in great detail, it should focus more on how risk would be handled and treated at a (you guessed it) at a policy level. For this school a policy document focuses more on the logistics of approvals, exceptions and mandates rather than actual limits or categorization of risk. The risk identification, limit setting, evaluation and reporting component is left to the supporting process document that accompanies the policy everywhere.

In their defense the less is more school believes that Boards do not have sufficient time to do justice to risk policy. An involved, multi chapter risk policy document would only get a superficial review at the Board level and would most likely get stamped for approval on account of the shortage of time and the competition for attention within the number of items on Board’s agendas’ these days. So it is better to keep the policy short, sweet and relevant and shift the details to the process document that may or may not require direct approval from the Board. As long as the process document is in alignment with the policy, the Board has discharged its primary obligation by reviewing and approving the policy document without creating un-necessary delays in the approval process. There after the Board can be pulled in and involved on an as needed basis on risk issues without spending too much time on the approval of minor or process oriented changed to the policy or process documents.

On the other side is the descriptive and prescriptive school of policy thought. Under this approach the policy document is a far more comprehensive write up that not just includes the types and categories of risks addressed but also suggested and proposed limits. These policies include everything the less and more school suggests and then some.

Both schools have their place in a risk group. Which one is right depends on how involved your Board is in the risk management process, the frequency with which it meets, its composition, its accessibility and the amount of time it can honestly devote to risk items on its agenda. Where a Board’s risk review group includes members whose availability and time is limited, where risk committee meetings are held once every quarter and where even ordinary risk items often get covered over multiple Board meetings, the less is more school is a better bet. Where Board’s are more actively involved and Board members are easily accessible and where risk agenda items are covered in the same meeting, the second school may be more appropriate.

In the end what really matters is that both the process and policy documents support the reality that unfortunately exist regarding demands on Board of Directors time, at least here in this region. In the absence of SOX like regulation in large parts of Middle East and Asia Pacific it means that your policy documents shouldn’t turn the Board of Directors meeting into a recurring bottle neck when it comes to implementing risk policy.

This course is based on the material presented in earlier editions of Pakistan Risk Review, the soon to be releasedUnderstanding Commodity Risk text book and the work done by Alchemy Technologies in the region in the area of financial risk management and Basel II reporting for the banking industry in Pakistan and the Middle East. It presents an extension of well accepted risk models in the financial services space to the risk management needs of the oil, gas and petrochemical industry in the region.