Join me to make the best risk management policy on the planet!
If you dare!
Back in 2016 I created a risk management policy template (two actually, long and short), which since then have been donwloaded more than 1700 times. So, when I suddenly, found myself needing a risk management policy, I took my template and started working. I read it. But it just didn’t feel right. Yes, risk management policy is pure RM1, but I still felt the focus on risk-based decision making wasn’t strong enough.
So… I rewrote the risk management policy trying to make it better. I am still not 100% happy and need your help.
First, here are the ground rules:
- risk management policy is pure RM1, stakeholers need it more than employees
- in the template below I consiously made a choice to kill two bids with one stone, I made the policy longer than normal and I incorporated risk management framework document by making it shorter than normal, so this is now a blend policy + framework in one
- if by now you think risk management policy is not RM1 or that policy and framework must be kept as separate documents, you are too stupid to be in risk management and you probably shouldn’t continue reading this article or commenting, I wouldn’t care about your feedback anyway
If you passed the first test, click on the image or link below and you can read it, leave comments inside the actual document and make changes right in the document:
VIEW AND EDIT: https://drive.google.com/file/d/1xQ17pg6krpbCX3DcHjGCBl_x65jc_6ci/view?usp=sharing
Collaboation will save the world!
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
I think it all depends on the context and organizational methods (eg: existing management systems). Policies and Procedures fit within the overall framework in my view. So for example, you might have a RM framework which then has policies on Risk, Treasury risk, WHS/OSH, Security, etc.
Personally, I prefer a one-page policy document. It means that it’s succinct but one other benefit is that if you need to change something, it’s clear to everyone which part of the management system was changed. (Ie. The Policy or the framework).
At this link you can find an example of a one-page policy document. http://31000risk.blogspot.com/2011/04/writing-risk-management-policy.html
At this link you can find an example of a Framework which incorporates Policy, Procedures, etc as separate items. https://www.srmam.com/download-images?pgid=k09sibed-d0b87423-a212-4354-a12e-ef91f90da91f I tend to see Policies as subordinate to the Framework, Procedures subordinate to Policies, and so forth as per the graphic at that link
For what it’s worth, here is an example of a Procedure that I like: https://www.juliantalbot.com/post/risk-management-procedure
I’ll go through the document and come back with specific comments. Overall it looks great but my main comment would be to separate the Policy from Procedure. Policies are set by the Board or CEO. Procedures change more often and are usually (at least in large organizations) written by junior managers, then signed off by senior managers (senior but subordinate to the CEO) in support of the Policy set by the Board.
The other reason I like to separate them is that a Policy often applies across the total enterprise. Separate divisions within the enterprise may have their own procedure templates and one of the important elements of any management system is that the documents should use the same template, same structure, same look and feel so that we don’t introduce systemic human error if people miss a key section because it isn’t where they expected to find it. It also makes it much harder to apply, train, and audit the framework and procedures, policies, etc if they don’t have the same structure across (so far as possible) all elements of the enterprise. Say for example, I want to do an Enterprise Risk Assessment across a business. The CFO office, the Treasury Management function, Human Resources, and Operations will all have different needs. If they at least all use the same management system structure, then they can all apply one single RM policy albeit with different procedures and different Work Instructions. All of their documents should fit within the Framework and comply with the Policy. But after that they will be different.
In a small business, putting the Policy, Procedure, and Framework together in a single document can make sense. In a big organization, not so much. Different accountabilities and authors for starters will make that problematic.
Alex, I love this effort, very well done indeed. My initial thought was however going into another direction, the best risk policy is having no risk policy at all, if there must be one (for regulatory and governance reasons?) merely a reference to the strategy documents. That way, all aspects of risks are already considered and embedded in the strategy, our ultimate goal to make risk-informed decisions right upfront at the point of decision-making?
In fact, I tried that when rewriting an institution’s fundamental risk policy. It was however too advanced of a concept to get support and approval from the board of directors at the time.
I like your approach