Risk Management Policies Scope, Content and How Many To Have
Is there a difference between “policy” and “guideline”? Whilst “policy” and “guideline” can be readily defined, context is equally as important. Mr. Ramesh Pillai (Chairman of Board of Governor, Institute of Enterprise Risk Practitioners) cited an example whereby, in the case of guidelines issued by a Regulator, these are often really intended as “policy” statements or documents and should be treated accordingly. Hence, regardless of how many or how frequently such guidelines are issued, or how inconsequential they appear to be, they should be carefully noted because as far as businesses are concerned, Regulators are the ultimate authority and Must Be Obeyed.
One guide to rule them all…
How many policies should firms have, and what should their scope and content be? This was the focus of the Institute’s monthly Tea Talk held on 20th September 2019. Increasingly, a number of practices and policies are being linked to the Malaysian Code of Corporate Governance (MCCG) which Boards are obliged to comply with within a specific timeframe. While the MCCG guidance may look like a hard act to follow, it does state the recommended practices which will help businesses comply with the kind of governance that is expected of them – thereby making the process of compliance and adherence a lot less onerous.
As the Board has onerous tasks, any help should be welcome when it’s a matter of ensuring appropriate and proper governance, oversight and control over a corporation. Setting the firm’s risk appetite, risk management and internal control policies are all the responsibility of the Board. While processes, procedures and frameworks may be developed and implemented by management, the Board has oversight and ultimate responsibility for everything, and is therefore required to set appropriate policies that direct these activities in a manner that benefits all internal and external stakeholders.
It’s an extensive, serious job which requires putting appropriate risk practices, risk controls and internal controls in place – supported by effective 2nd and 3rd line of defence functions to provide the assurances to the Board to support them in the discharge of their fiduciary responsibilities and oversight functions. Although the “Buck stops with the Board,” everyone has responsibility for ensuring that the firm operates in the way it is supposed to; this is the main reason firms should have appropriate written policies and oversight processes, practices and governance in relation to risk, audit, and compliance functions that covers all eventualities and which comply with best practice guidance.
Crystal ball or lifesaver?
Policy is simultaneously a set of “what to do” instructions when issues arise, and a fallback position which allows its users to access the corporate safety net: if you’ve been faithfully following company policy, then you’re protected. The basic premise of policy is to encode an acknowledged way of doing things within an organisation. It is based on processes, procedures and other input that have been found to be workable, and can thus be safely applied to further the interests of the organisation in a structured, acceptable way without infringing laws.
Policies need to be drafted with a forward looking mentality or they may end up being restrictive when it comes to dealing with issues that arise in a dynamic environment. “Design appropriate policies, systems and processes that are relevant to your organisation,” Ramesh advised.
“Policy should be structured in a way that is relevant to each level of management. It needs to be understood organisation-wide, practical and easy to comply with.”
“It is also necessary to ensure that lower-level policies are consistent with or aligned to higher level and supported by appropriate procedures. Policies should be drafted in such a way as to cover all eventualities and provisions should be made to cover potential shortfalls or flaws”, he added. But what happens when policy doesn’t work despite all these provisions? “Urgently discuss the situation with management and consider calling the Board Risk Chairman to canvass his views,” suggested Ramesh.
What Policy looks like
Ramesh remarked that policy papers constitute high level statement of intent and, as such, should be succinct. He added that his rule of thumb was that they should be no more than six pages long, as anything more would probably mean that the Board was being asked to review not just the policy itself but the processes, procedures, frameworks and operations that support it – which would be poor and unnecessary use of the Board’s time. “Besides, if the Board approves a policy paper with all these details, it is in effect approving everything,” he pointed out. “Imagine if, after approval is obtained, a process or procedure needed to be changed to accommodate an event – it would necessitate another Board meeting for this to happen, and that just wouldn’t be practical.”
People need to understand what policy is, he stated, and policies are meant to guide, not shackle. “Policy is really a statement of intent at the highest level,” he stressed. Procedures, processes, frameworks and guidelines support policy because they actually define the control environment, i.e., the limits or boundaries of what should be done, what can be done, and how to do it. The document used to convey all this is the Policy.
“The framework, for instance, is the structure by which the statement of intent – the policy – is executed,” Ramesh said.
“It states, for example, who is going to be responsible for what. The Board approves the policy; management controls how it is done. It’s about improving control and defining accountability, and at the end of the day, it is the firm’s risk management which is improved.”
How many policies should firms have?
The number of policies in a company is dependent on its risk appetite, and there should be sufficient procedures to support that. “Policies can act as a form of protection against lawsuit” suggested Ramesh, adding, “the number of policies will depend on how much protection you want
Another area of contention is, who should abide by policy. Ideally, everyone. Policy should apply to everyone; there cannot be different policies for different categories of people involved with the firm, particularly when it comes to governance – which involves fraud, corruption abuse of authority and company property. Directors, especially, are called to exhibit higher levels of personal and professional integrity as they can be seen as examples and are responsible for setting the “Tone At The Top” which all others are expected to emulate. It would be disastrous for the firm if its directors set the wrong tone through their actions or do not abide by the policies they have approved for everyone else.
All policies should be approved by the Board and implemented immediately. In line with good governance practice policies should be revised regularly, in order to keep them relevant Cull or revise the ones which have outlasted their utility. – this will keep the organisation abreast of developments in the environment in which it needs to operate. It is also an opportunity to inventorise and document the firm’s processes and procedures as well, to identify what needs to be upgraded and even what skills the workforce may require in the future, such as in the field of technology, with the implementation of a company cybersecurity policy.
It’s not the best job, but someone has to do it
Policy is the province of the Board, and while most large, well-regulated companies have the luxury of screening their directors to ensure that the right people are in charge, this is a challenge for smaller firms; their directors may not be up to scratch – and the quality of the policies that they develop may reflect this. How can this be mitigated? Boards should be balanced, and members should be sensible in their approach to formulating policy for the firm. For instance, Board members will be helping themselves a great deal if they declare that all policy papers should be short. All policies must also have risk elements but should not be set in perpetuity; instead, they should be regularly reviewed.
While policy, which is a statement of intent, may be written to apply generally, the framework which accompanies them cannot be generic. Organisations need to understand that all frameworks have to be customised to the needs of the company. When it comes to group policy, views of the subsidiaries must be taken into account before implementation, and it is advisable to “socialise” policies across the group prior to approval, for better acceptance and adoption.
Directors may appear all-knowing and all-powerful, regarded as wealthy and successful. To many, to hold a director’s position is to have “arrived” – but their responsibilities are great, and directors are human, with the same human foibles, habits and prejudices as the man in the street. Ramesh explained that they are liable to be fined heavily and may even be jailed if found to have been derelict in their corporate duties . Bearing all this in mind, it is unlikely, therefore, that directors will be careless when it comes to policy. They just have too much to lose!