Risk Management: Sample Board Risk Policy Document and Risk Policy Table of Content

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 7

Risk Management: Sample Board Risk

Policy document and Risk Policy table of


content
By Uzma on September 4th, 2010

The debate about what should and shouldn’t go into a Risk Policy has  been ongoing for the last two
decades. There are two primary camp. The less is more camp and the laundry list camp. The less is
more camp believes that a risk policy document should be brief, to the point and limited to the
philosophy of risk at the organization. The laundry list camp likes to enumerate all possible risk so that
the mandate of the risk policy is clearly defined without any disputes.

The sample policy and table of content submitted below comes from the less is more camp.

Table of Contents

1 Risk Policy Introduction    3

1.1    Risk Organizational Structure    3

1.2    Scope of policy    3

1.3    Effective date    4

1.4    Objectives    4

1.5    Internal review and limit setting    5

1.6    Documentation    5

1.7    Independent review    5

1.8    Risk Reporting    6
1.9    Implementation    6

2 Annexure A – Mandates and Responsibilities    7

2.1    Board of Directors (BD)    7

2.2    Board Risk Committee (BRC)    7

2.3    Head of Risk Management Function    8

2.4    Risk Management Department    9

2.4.1    Enterprise Risk Management    9

2.4.2    Market Risk Group    9

2.4.3    Credit Risk Group    10

2.4.4    Front Office    11

2.4.5    Middle Office    11

Here is the table of content for a sample risk policy document using the simple and brief approach.

Risk Policy Introduction


By definition and nature of our business we put capital at risk every day.

Here capital is different from the traditional regulatory reporting sense. Within the context of this risk
policy whenever we use capital and risk, we mean that a transaction we execute may lead to the
realization of financial loss (risk) and capital refers to the amount that we have implicitly or explicitly
allocated to support that expected loss or downside. Given the nature of our liability contracts, these
losses can only be offset by retained earnings or by the capital entrusted to us by our shareholders.

The primary objective of this risk policy is to ensure that whenever we go ahead and take reasonable
risks that are required to generate reasonable returns, or whenever we put capital at risk we do it in
an objective, documented and transparent fashion. That these risks are taken within pre-approved
limits and when these limits are breached, the exceptions are reported and addressed at the
appropriate level.

The objective of this policy is not to eliminate risk taking behaviour or capital loss; it is to ensure that
such losses are communicated at the right forum, in a timely fashion and can be traced back to the
original capital allocation decision. A side objective is to put the same losses to good use by allowing us
to learn from our past and improve our overall returns for each unit of risk booked by our businesses.

Risk Organizational Structure


The ultimate responsibly for the risk management function and the implementation of this policy rests
with the Board of Directors. The Board manages this responsibility through the Board Risk Committee.
The Board Risk Committee is updated on a regular basis by the Head of Risk and the Risk Management
group on the risk exposures, trends and benchmarks for each risk type covered within the scope of this
policy.

In addition to the Board, the Head of Risk and the Risk Management group works with the Management
Committee of the Bank on a day to day basis to tackle and address issues directly related to the policy
as well as improve and refine the policy based on experiences and market conditions.

Collectively this structure is referred to as the risk management function throughout this document.

Updates, changes and revisions to the policy are suggested by the Risk Management group and
approved by the Board Risk Committee.

Detailed responsibilities and mandate for the Board, the Board Risk Committee, the Head of Risk, and
the Risk Management group are described in Annexure A of this document.

Scope of policy
This policy document covers the oversight of Board, Senior Management and the Risk Management
Group over the following primary risk exposures.

 Credit Risk
 Market Risk
 Interest Rate Mismatch
 Liquidity Risk
 Operational Risk
 Concentration Risk

With the approval of the Board and the Senior Management team, additional risk exposures can be
added to this list.

Effective date
The policy will be adopted after its formal approval by the bank’s Board of Directors.

Objectives
The primary objectives for the Risk Management Policy include:

1. Improving the frequency, by which risk is identified, measured, monitored, analyzed and
reported to the senior management team and the Board at the bank.
2. Breaking down the above analysis to the individual risk level so that trends and benchmarks are
identified and exceptions can be easily reported and rectified
3. Defining and documenting risk and capital loss tolerances for each risk type and implementing
processes to ensure that these limits are not breached.
4. When business and operating conditions do lead to limit breaches, implementing processes to
ensure that limit exceptions are tracked, reported and approved at the appropriate authorized
level.
5. Projecting the amount of capital required based on the approved business and strategic plans
and the expected risk exposures so that there are no significant surprises for the senior team or
the Board.

This requires that:

1. All material risks and related exposures that the bank carries as part of its business activities
are identified, measured and reported on a regular basis
2. These exposure levels are compared with limits set by the risk management function
3. Daily reports and regular meetings within the risk management function ensure that risk levels
and risk tolerances are clearly communicated across the organization

The risk identification, measurement, limits management, compliance and reporting process is the
primary framework used to implement these objectives.

Internal review and limit setting


The Board and senior management are responsible for understanding the nature and level of risks being
taken by the Bank, ensuring that appropriate risk management processes are in place to mitigate the
risks, and ensuring that the Bank maintains adequate capital beyond the regulatory minimum to
support such risks.

The Board will review and approve the target level and composition of each risk category, reporting
metrics, supporting capital, and the process for setting and monitoring such targets on an annual basis.
The actual monitoring and review of target levels and utilization trends will occur on a more frequent
basis.

Documentation
The Risk policy should be implemented in a methodical manner and be comprehensively documented
within the processes and procedures of the Bank.

In addition to data collection, analysis and reporting the risk management process requires that the
steps involved in the each process (collection, analysis, monitoring and reporting) are documented and
reviewed to ensure consistency and transparency across each reporting period. It is therefore
recommended that:

1. Process checklists for creating and presenting the risk reports document are prepared and
approved by the appropriate authority at the Bank. The checklists should also document data
requirements and risk models used in the document.
2. The process document itself should contain sufficient details that analysis, numbers and
recommendations can be independently verified during external reviews.
3. A risk review is formally presented to the senior management team and the Board of Directors
on a quarterly basis in sessions devoted specifically to the risk review agenda.
4. The discussion and recommendations from these dedicated sessions are minuted, approved and
followed up in subsequent risk committee meetings.

Independent review
The risk management function should be subject to regular and independent review through an internal
or external audit process. At a minimum, the Bank shall conduct periodic independent review of its risk
management processes, ensuring:

1. The integrity, accuracy, and reasonableness of the processes;


2. The appropriateness of the bank’s identification and assessment process based on the nature,
scope, scale and complexity of the bank’s activities;
3. The timely identification of any previously un-categorized risk;
4. The accuracy and completeness of any data inputs into the bank’s risk management process;
5. The reasonableness and validity of any assumptions and scenarios used in the risk management
process;
6. The accuracy, stability and back testing of any pricing, valuation and risk models used within
the risk management function.

Risk Reporting
Depending on the nature and type of exposure and the volatility in the underlying risk factor, risk
reports for a given risk category maybe generated on a daily, weekly, monthly or quarterly basis. As a
standard a risk report for a risk category must:

1. Capture all risks and positions associated with all trades, assets, and origination deals.
2. Ensure that corporate and business units use similar measures and methodologies.
3. Facilitate the monitoring, understanding and risk decision making process.
4. Reports must be archived in electronic form in an indexed central location with access to all
authorized users.
5. For market risk exposures reports must include MTM’s, VaR, limit utilization, carrying costs,
realized and unrealized P&L by product, book, sector and tenor on a daily basis.
6. Any daily risk report should be initiated as soon as possible after market close.
7. In addition to looking at daily numbers, report must graph trends, baselines and directions.
Implementation
By design the risk policy documents and outlines objectives, structure, roles and responsibilities for the
risk management function. Specific implementation details such as processes, calculations, models and
report formats are documented separately within the risk framework and process manuals.

You might also like