Risk Management: Sample Board Risk Policy Document and Risk Policy Table of Content
Risk Management: Sample Board Risk Policy Document and Risk Policy Table of Content
Risk Management: Sample Board Risk Policy Document and Risk Policy Table of Content
The debate about what should and shouldn’t go into a Risk Policy has been ongoing for the last two
decades. There are two primary camp. The less is more camp and the laundry list camp. The less is
more camp believes that a risk policy document should be brief, to the point and limited to the
philosophy of risk at the organization. The laundry list camp likes to enumerate all possible risk so that
the mandate of the risk policy is clearly defined without any disputes.
The sample policy and table of content submitted below comes from the less is more camp.
Table of Contents
1.2 Scope of policy 3
1.3 Effective date 4
1.4 Objectives 4
1.6 Documentation 5
1.7 Independent review 5
1.8 Risk Reporting 6
1.9 Implementation 6
2.4.4 Front Office 11
2.4.5 Middle Office 11
Here is the table of content for a sample risk policy document using the simple and brief approach.
Here capital is different from the traditional regulatory reporting sense. Within the context of this risk
policy whenever we use capital and risk, we mean that a transaction we execute may lead to the
realization of financial loss (risk) and capital refers to the amount that we have implicitly or explicitly
allocated to support that expected loss or downside. Given the nature of our liability contracts, these
losses can only be offset by retained earnings or by the capital entrusted to us by our shareholders.
The primary objective of this risk policy is to ensure that whenever we go ahead and take reasonable
risks that are required to generate reasonable returns, or whenever we put capital at risk we do it in
an objective, documented and transparent fashion. That these risks are taken within pre-approved
limits and when these limits are breached, the exceptions are reported and addressed at the
appropriate level.
The objective of this policy is not to eliminate risk taking behaviour or capital loss; it is to ensure that
such losses are communicated at the right forum, in a timely fashion and can be traced back to the
original capital allocation decision. A side objective is to put the same losses to good use by allowing us
to learn from our past and improve our overall returns for each unit of risk booked by our businesses.
In addition to the Board, the Head of Risk and the Risk Management group works with the Management
Committee of the Bank on a day to day basis to tackle and address issues directly related to the policy
as well as improve and refine the policy based on experiences and market conditions.
Collectively this structure is referred to as the risk management function throughout this document.
Updates, changes and revisions to the policy are suggested by the Risk Management group and
approved by the Board Risk Committee.
Detailed responsibilities and mandate for the Board, the Board Risk Committee, the Head of Risk, and
the Risk Management group are described in Annexure A of this document.
Scope of policy
This policy document covers the oversight of Board, Senior Management and the Risk Management
Group over the following primary risk exposures.
Credit Risk
Market Risk
Interest Rate Mismatch
Liquidity Risk
Operational Risk
Concentration Risk
With the approval of the Board and the Senior Management team, additional risk exposures can be
added to this list.
Effective date
The policy will be adopted after its formal approval by the bank’s Board of Directors.
Objectives
The primary objectives for the Risk Management Policy include:
1. Improving the frequency, by which risk is identified, measured, monitored, analyzed and
reported to the senior management team and the Board at the bank.
2. Breaking down the above analysis to the individual risk level so that trends and benchmarks are
identified and exceptions can be easily reported and rectified
3. Defining and documenting risk and capital loss tolerances for each risk type and implementing
processes to ensure that these limits are not breached.
4. When business and operating conditions do lead to limit breaches, implementing processes to
ensure that limit exceptions are tracked, reported and approved at the appropriate authorized
level.
5. Projecting the amount of capital required based on the approved business and strategic plans
and the expected risk exposures so that there are no significant surprises for the senior team or
the Board.
1. All material risks and related exposures that the bank carries as part of its business activities
are identified, measured and reported on a regular basis
2. These exposure levels are compared with limits set by the risk management function
3. Daily reports and regular meetings within the risk management function ensure that risk levels
and risk tolerances are clearly communicated across the organization
The risk identification, measurement, limits management, compliance and reporting process is the
primary framework used to implement these objectives.
The Board will review and approve the target level and composition of each risk category, reporting
metrics, supporting capital, and the process for setting and monitoring such targets on an annual basis.
The actual monitoring and review of target levels and utilization trends will occur on a more frequent
basis.
Documentation
The Risk policy should be implemented in a methodical manner and be comprehensively documented
within the processes and procedures of the Bank.
In addition to data collection, analysis and reporting the risk management process requires that the
steps involved in the each process (collection, analysis, monitoring and reporting) are documented and
reviewed to ensure consistency and transparency across each reporting period. It is therefore
recommended that:
1. Process checklists for creating and presenting the risk reports document are prepared and
approved by the appropriate authority at the Bank. The checklists should also document data
requirements and risk models used in the document.
2. The process document itself should contain sufficient details that analysis, numbers and
recommendations can be independently verified during external reviews.
3. A risk review is formally presented to the senior management team and the Board of Directors
on a quarterly basis in sessions devoted specifically to the risk review agenda.
4. The discussion and recommendations from these dedicated sessions are minuted, approved and
followed up in subsequent risk committee meetings.
Independent review
The risk management function should be subject to regular and independent review through an internal
or external audit process. At a minimum, the Bank shall conduct periodic independent review of its risk
management processes, ensuring:
Risk Reporting
Depending on the nature and type of exposure and the volatility in the underlying risk factor, risk
reports for a given risk category maybe generated on a daily, weekly, monthly or quarterly basis. As a
standard a risk report for a risk category must:
1. Capture all risks and positions associated with all trades, assets, and origination deals.
2. Ensure that corporate and business units use similar measures and methodologies.
3. Facilitate the monitoring, understanding and risk decision making process.
4. Reports must be archived in electronic form in an indexed central location with access to all
authorized users.
5. For market risk exposures reports must include MTM’s, VaR, limit utilization, carrying costs,
realized and unrealized P&L by product, book, sector and tenor on a daily basis.
6. Any daily risk report should be initiated as soon as possible after market close.
7. In addition to looking at daily numbers, report must graph trends, baselines and directions.
Implementation
By design the risk policy documents and outlines objectives, structure, roles and responsibilities for the
risk management function. Specific implementation details such as processes, calculations, models and
report formats are documented separately within the risk framework and process manuals.