My insurer has asked if we have a risk management policy – where do we start?
Does this sound familiar? Or maybe you have one and it is that time of the year to review it again. Or perhaps the health and economic crisis flowing from COVID-19 has you looking at the risk policy again and wondering if you could have been better prepared?
Whatever the case, it does beg to answer the question of what should go in the risk policy?
The scale, complexity and risk basis of every organisation is different, and so there is no “one size fits all” answer to what to include in a risk policy but there are common elements that apply across most organisations.
Risk Management Policy Content
From our experience, we suggest that you consider including, as appropriate, each of the following sections within a risk policy:
- Purpose and Scope – this is a good place to start from, defining what you aim to achieve (the purpose) and what parts of the organisation it applies to (the scope).
- An introduction that addresses the context and perhaps any definitions that relate to the policy.
- Roles and responsibilities – this might include as relevant the roles and responsibilities of the Board, any Board committee relating to risk, CEO and other management/staff.
- Policy statement – this should include a number of overarching statements relating to your commitment to having a risk framework, addressing risks within the organisation, responsibilities for risk, the aims of your risk management program, and principles that apply.
- External references – for example, you might have a risk management framework or risk management procedure that goes to more detail on how you will identify, analyse, mitigate, communicate and monitor the risks. Your business continuity plan is another document to reference. In some instances, the risk procedure may be part of the risk policy but in other organisations it will be a separate document.
- Risk appetite – if not written in to the policy, then a reference to this elsewhere. This helps to calibrate different categories of risk: e.g. financial, safety, environment, customer satisfaction and public reputation. As part of the risk appetite, you should define the risks that you are able to manage and those you want to avoid.
- External contextual elements as appropriate – where there are external bodies or accreditations relevant to your organisation, they may have particular requirements which demand specific attention within your risk policy, for example:
- NDIS: meeting requirements of the NDIS Practice Standards
- Aged Care: meeting requirements of the Aged Care Quality Standards
- Insurers: will often have specific conditions relating to risk management. E.g. IT practices needed to comply with cyber insurance policy.
- Version number, date, who approved it and when the policy is next due to be reviewed.
A risk policy is one of the central governance documents that your organisation has. It’s important to review and consider it carefully, as well as the other documents that relate to your risk framework. Ultimately, however, the policy needs to live out through your people, and great organisations use the risk policy to set the tone for the risk culture, and define what risks at what level are tolerable and what risks are unacceptable.