“You never said that you wanted me to do that” is an answer that managers often get when they point out a shortfall in performance. And in many cases it is actually true. As a rule, some of us tend to avoid too much writing things down. And that is also true when it comes to risk management
That is where ERM policies come in. The ERM policy is a written agreement between various managers in a company and the board documenting expectations regarding risk management.
But too many people mistake a detailed procedure manual for a policy statement. Often a policy statement can be just a page or two.
For Risk Management there are several places where firms tend to “write it down”:
- ERM Policy – documents that the firm is committed to an enterprise wide risk management system and that there are broad roles for the board and for management. This policy is usually approved by the board. The ERM Policy should be reviewed annually, but may not be changed but every three to five years.
- ERM Framework – this is a working document that lists many of the details of how the company plans to “do” ERM. When an ERM program is new, this document many list many new things that are being done. Once a program is well established, it will need no more or no less documentation than other company activities. RISKVIEWS usually recommends that the ERM Framework would include a short section relating to each of the risk management practices that make up a Risk Management System.
- Risk Appetite & Tolerance Statement – may be separate from the above to highlight its importance and the fact that it is likely to be more variable than the Policy statement, but not as detailed as the Framework.
- Separate Risk Policies for major risk categories – almost all insurers have an investment policy. Most insurers should consider writing policies for insurance risk. Some firms decide to write operational risk policies as well. Very few have strategic risk policies.
- Policies for Hedging, Insurance and/or Reinsurance – the most powerful risk management tools need to have clear uses as well as clear lines of decision-making and authority.
- Charter for Risk Committees – Some firms have three or more risk committees. On is a board committee, one is at the executive level and the third is for more operational level people with some risk management responsibilities. It is common at some firms for board committees to have charters. Less so for committees of company employees. These can be included in the ERM Framework, rather than as separate documents.
- Job Description for the CRO – Without a clear job description many CROs have found that they become the scapegoat for whatever goes wrong, regardless of their actual authority and responsibilities before hand.
With written policies in place, the board can hold management accountable. The CEO can hold the CRO responsible and the CRO is able to expect that may hands around the company are all sharing the risk management responsibilities.
More on ERM Policies on WillisWire.