The debate about what should and shouldn’t go into a Risk Policy has been ongoing for the last two decades. There are two primary camp. The less is more camp and the laundry list camp. The less is more camp believes that a risk policy document should be brief, to the point and limited to the philosophy of risk at the organization. The laundry list camp likes to enumerate all possible risk so that the mandate of the risk policy is clearly defined without any disputes.
The sample policy and table of content submitted below comes from the less is more camp.
Table of Contents
Risk Policy Introduction
1.1 Risk Organizational Structure
1.2 Scope of policy
1.3 Effective date
1.5 Internal review and limit setting
1.7 Independent review
1.8 Risk Reporting
2. Annexure A – Mandates and Responsibilities
2.1 Board of Directors (BD)
2.2 Board Risk Committee (BRC)
2.3 Head of Risk Management Function
2.4 Risk Management Department
2.4.1 Enterprise Risk Management
2.4.2 Market Risk Group
2.4.3 Credit Risk Group
2.4.4 Front Office
2.4.5 Middle Office
Here is the table of content for a sample risk policy document using the simple and brief approach.
Risk Policy Introduction
By definition and nature of our business we put capital at risk every day.
Here capital is different from the traditional regulatory reporting sense. Within the context of this risk policy whenever we use capital and risk, we mean that a transaction we execute may lead to the realization of financial loss (risk) and capital refers to the amount that we have implicitly or explicitly allocated to support that expected loss or downside. Given the nature of our liability contracts, these losses can only be offset by retained earnings or by the capital entrusted to us by our shareholders.
The primary objective of this risk policy is to ensure that whenever we go ahead and take reasonable risks that are required to generate reasonable returns, or whenever we put capital at risk we do it in an objective, documented and transparent fashion. That these risks are taken within pre-approved limits and when these limits are breached, the exceptions are reported and addressed at the appropriate level.
The objective of this policy is not to eliminate risk taking behaviour or capital loss; it is to ensure that such losses are communicated at the right forum, in a timely fashion and can be traced back to the original capital allocation decision. A side objective is to put the same losses to good use by allowing us to learn from our past and improve our overall returns for each unit of risk booked by our businesses.
Risk Organizational Structure
The ultimate responsibly for the risk management function and the implementation of this policy rests with the Board of Directors. The Board manages this responsibility through the Board Risk Committee. The Board Risk Committee is updated on a regular basis by the Head of Risk and the Risk Management group on the risk exposures, trends and benchmarks for each risk type covered within the scope of this policy.
In addition to the Board, the Head of Risk and the Risk Management group works with the Management Committee of the Bank on a day to day basis to tackle and address issues directly related to the policy as well as improve and refine the policy based on experiences and market conditions.
Collectively this structure is referred to as the risk management function throughout this document.
Updates, changes and revisions to the policy are suggested by the Risk Management group and approved by the Board Risk Committee.
Detailed responsibilities and mandate for the Board, the Board Risk Committee, the Head of Risk, and the Risk Management group are described in Annexure A of this document.
Scope of policy
This policy document covers the oversight of Board, Senior Management and the Risk Management Group over the following primary risk exposures.
- Credit Risk
- Market Risk
- Interest Rate Mismatch
- Liquidity Risk
- Operational Risk
- Concentration Risk
With the approval of the Board and the Senior Management team, additional risk exposures can be added to this list.
The policy will be adopted after its formal approval by the bank’s Board of Directors.
The primary objectives for the Risk Management Policy include:
- Improving the frequency, by which risk is identified, measured, monitored, analyzed and reported to the senior management team and the Board at the bank.
- Breaking down the above analysis to the individual risk level so that trends and benchmarks are identified and exceptions can be easily reported and rectified
- Defining and documenting risk and capital loss tolerances for each risk type and implementing processes to ensure that these limits are not breached.
- When business and operating conditions do lead to limit breaches, implementing processes to ensure that limit exceptions are tracked, reported and approved at the appropriate authorized level.
- Projecting the amount of capital required based on the approved business and strategic plans and the expected risk exposures so that there are no significant surprises for the senior team or the Board.
This requires that:
- All material risks and related exposures that the bank carries as part of its business activities are identified, measured and reported on a regular basis
- These exposure levels are compared with limits set by the risk management function
- Daily reports and regular meetings within the risk management function ensure that risk levels and risk tolerances are clearly communicated across the organization
The risk identification, measurement, limits management, compliance and reporting process is the primary framework used to implement these objectives.
Internal review and limit setting
The Board and senior management are responsible for understanding the nature and level of risks being taken by the Bank, ensuring that appropriate risk management processes are in place to mitigate the risks, and ensuring that the Bank maintains adequate capital beyond the regulatory minimum to support such risks.
The Board will review and approve the target level and composition of each risk category, reporting metrics, supporting capital, and the process for setting and monitoring such targets on an annual basis. The actual monitoring and review of target levels and utilization trends will occur on a more frequent basis.
The Risk policy should be implemented in a methodical manner and be comprehensively documented within the processes and procedures of the Bank.
In addition to data collection, analysis and reporting the risk management process requires that the steps involved in the each process (collection, analysis, monitoring and reporting) are documented and reviewed to ensure consistency and transparency across each reporting period. It is therefore recommended that:
- Process checklists for creating and presenting the risk reports document are prepared and approved by the appropriate authority at the Bank. The checklists should also document data requirements and risk models used in the document.
- The process document itself should contain sufficient details that analysis, numbers and recommendations can be independently verified during external reviews.
- A risk review is formally presented to the senior management team and the Board of Directors on a quarterly basis in sessions devoted specifically to the risk review agenda.
- The discussion and recommendations from these dedicated sessions are minuted, approved and followed up in subsequent risk committee meetings.
The risk management function should be subject to regular and independent review through an internal or external audit process. At a minimum, the Bank shall conduct periodic independent review of its risk management processes, ensuring:
- The integrity, accuracy, and reasonableness of the processes;
- The appropriateness of the bank’s identification and assessment process based on the nature, scope, scale and complexity of the bank’s activities;
- The timely identification of any previously un-categorized risk;
- The accuracy and completeness of any data inputs into the bank’s risk management process;
- The reasonableness and validity of any assumptions and scenarios used in the risk management process;
- The accuracy, stability and back testing of any pricing, valuation and risk models used within the risk management function.
Depending on the nature and type of exposure and the volatility in the underlying risk factor, risk reports for a given risk category maybe generated on a daily, weekly, monthly or quarterly basis. As a standard a risk report for a risk category must:
- Capture all risks and positions associated with all trades, assets, and origination deals.
- Ensure that corporate and business units use similar measures and methodologies.
- Facilitate the monitoring, understanding and risk decision making process.
- Reports must be archived in electronic form in an indexed central location with access to all authorized users.
- For market risk exposures reports must include MTM’s, VaR, limit utilization, carrying costs, realized and unrealized P&L by product, book, sector and tenor on a daily basis.
- Any daily risk report should be initiated as soon as possible after market close.
- In addition to looking at daily numbers, report must graph trends, baselines and directions.
By design the risk policy documents and outlines objectives, structure, roles and responsibilities for the risk management function. Specific implementation details such as processes, calculations, models and report formats are documented separately within the risk framework and process manuals.