Risk Management Policy

The following sample outlines a set of policies and procedures for a common and systematic
approach for managing risk across a company. This approach increases risk awareness, ensures
the appropriate management of risks, and makes the business unit risk profiles transparent, thus
enabling risks to be compared and aggregated and allowing one to take a portfolio approach to
risk management.
Prepared By: ______________
Approved By: ______________
Revision Date: ______________
Effective Date: ______________
PURPOSE:
This policy sets out the risk management obectives and re!uirements for the "ompany #
business units$ %anagement is e&pected to conduct structured risk management in accordance
'ith this policy$
SCOPE:
The policy is applicable to all "ompany # business units and divisions$ (t is also applicable at
group level and for group staff functions including )inancial* +uman Resources* Ta& and ,egal$
POLICY:
To structure and formali-e the risk management activities across the business units* "ompany #
has developed a risk management frame'ork$ The "ompany # business units are re!uired to
implement and use this common risk management frame'ork$
"ompany # takes risks inherent to its strategy in order to achieve its corporate and business
units. obectives and to deliver superior shareholder returns$ "ompany # is developing and
implementing a common and systematic approach for managing risk across the company$ This
approach increases risk a'areness* ensures the appropriate management of risks* and makes
the business unit risk profiles transparent* thus enabling risks to be compared and aggregated
and allo'ing one to take a portfolio approach to risk management$
The "ompany # business units are e&pected to actively anticipate and manage their risks* taking
advantage of opportunities and containing potential ha-ards in line 'ith their risk tolerance$ The
e&ternal and internal risks facing the "ompany # business units are changing constantly and the
business units are e&pected to proactively:
/tili-e e&perience through kno'ledge sharing0
Deal 'ith ambiguity* uncertainty and increasing comple&ity0
Prioriti-e* make decisions and implement solutions on a timely basis0
Recogni-e and act on opportunities as they occur0
Ensure results in spite of a changing business unit environment$
DEFINITIONS:
Risk management policy 1 the present policy document summari-ing the obectives and
re!uirements for risk management0
Risk management pocess 1 a common four2step process for identifying* assessing*
responding to and monitoring business unit risks0
Roles an! esponsi"ilities 1 clearly defined responsibilities for managing and reporting on
risks 'ithin line management and separately for supporting and auditing the risk management
process0
3
4ource: '''$kno'ledgeleader$com
Risk epoting 1 common terminology* formats* and fre!uencies for reporting on key
business unit risks0
Risk meas#ement 1 common scales for measuring the likelihood and potential impact of
risks0
Risk categoi$ation 1 common categories for risks* allo'ing risk consolidation and
identification of key risk areas0
%ss#ance st#ct#e 1 an accompanying assurance structure* including a risk compliance
auditor* 'hich monitors and assures the application of the risk management frame'ork 'ithin
the business units0
S#ppot st#ct#e 1 a dedicated support function 5Risk 4upport 6fficer7 and a set of
common user2friendly tools that allo' the business units to implement and apply the elements
of the risk management frame'ork$
PROCEDURES:
Risk stategy an! isk toleance
Risk is part of doing business and risk management is therefore part of day2to2day business
management$ "ompany # aims to formali-e risk management to the e&tent that business units
are able to apply best2practice techni!ues* to share kno'ledge and e&perience* and to make the
key risks to the shareholders transparent$
"ompany # aims to be risk a'are* but not overly risk averse* and to actively manage business
unit risks to protect and gro' the business units$ To achieve its business unit obectives*
"ompany # recogni-es that it 'ill take on certain business unit risks$ "ompany # aims to take
risks in an informed and proactive manner* such that the level of risk is consistent 'ith the
potential business unit re'ards and that "ompany # understands and is able to manage or
absorb the impact of the risk in the event that it materiali-es$ %anagement 'ill establish such risk
responses as are re!uired to achieve the business unit obectives in accordance 'ith the
acceptability of the risk$ 8uantified business unit risk tolerances 'ill be formulated and regularly
updated by management at group* divisional and business2unit level$ "ompany # 'ill aim to
actively avoid risks that could:
9egatively affect the safety of our employees or other stakeholders* such as customers0
9egatively affect our reputation0
,ead to la's or regulations being breached0 or
Endanger the future e&istence of the company$
Risk management e&#iements
(n order to formali-e risk management across "ompany # and in order to set a common level of
transparency and risk management performance* a number of re!uirements have been defined
for the business units$ The "ompany # group* divisions and business units are obliged to address
the follo'ing re!uirements 'ith regard to risk management:
Develop and revie'* at least annually* a statement on the risk tolerance of the
group:division:business unit0
"onduct a formali-ed risk assessment at least annually* this assessment to include the
identification* prioriti-ation* measurement and categori-ation of all key risks that could
potentially affect the business unit.s obectives0
Report annually on the key business unit risks as identified in "ompany #.s risk reporting
formats0
"ontinuously monitor key risks and controls and implement appropriate risk responses 'here
necessary0
;
4ource: '''$kno'ledgeleader$com
)ormali-e responsibilities for managing risk and for sustaining "ompany #.s risk
management frame'ork 'ithin the business unit0
%onitor and revie' the application of the risk management frame'ork$
<
4ource: '''$kno'ledgeleader$com
%ss#ance
"ompany # has a corporate internal audit function that conducts a systematic program of
operational and financial audits across the business units$ Through the risk management
process* the business units themselves are responsible for assessing their risks* for implementing
appropriate controls* for monitoring risks and controls* and for gaining assurance that the risks
are being managed as intended$ )ormali-ed assurance from a corporate level focuses on
auditing ho' the business units apply the risk management frame'ork$ 6perational and financial
audits 'ill be e&ecuted on a regular basis from corporate level$ The outcome of the risk
assessment process 'ill be used as input for the audit planning by corporate audit$
Risk management oles an! esponsi"ilities
Risk management is primarily the responsibility of line management$ 4pecific responsibilities for
applying* supporting and auditing the risk management process are detailed in this section$
Business unit management
By definition* risk management is a normal part of day2to2day management practice$ The specific
responsibilities of business unit management 'ith respect to structured risk management are to:
(mplement the risk management frame'ork 'ithin the business unit0
Develop and revie' the business unit.s risk tolerance0
(dentify and assess the risks faced* and report material risk information annually as part of the
budget and ad2hoc in the case of significant ne' risks arising0
%anage the material risks 'ithin the business unit and ensure the actual risk profile is
consistent 'ith the risk tolerance0
Develop and maintain an appropriate organi-ation to facilitate the application of the risk
management frame'ork$
CEO Company X Holding
)ormulate and update "ompany #.s Risk %anagement Policy0
)ormulate the corporate risk tolerance0 revie' and approve the business unit risk tolerance
statements0
Determine* communicate and support "ompany #.s risk management approach to the
business units0
Revie' business unit risk reporting critically and provide feedback to the business units as
part of the Three2year Planning process0
Ensure that the appropriate structure* processes and competences are in place across
"ompany # in order to address the re!uirements set out in this policy0
Report to the 4upervisory Board and the Audit "ommittee on material risks$
Company X Holdings !uper"isory Board and #udit Committee
Revie' and approve the risk management policy insofar as it is consistent 'ith "ompany #.s
corporate obectives0
Revie' and approve the corporate risk tolerance0
Be a'are of the most significant risks across the business units and of 'hether management
is responding appropriately0
Revie' the portfolio of risks and consider it in the light of the corporate risk tolerance0
%onitor and ensure the appropriate application of the risk management frame'ork 'ithin the
business units$
Company X $isk !upport Officer
The Risk 4upport 6fficer is a dedicated part2time function at "ompany # level 'hich is filled by
the +ead of (nternal Audit$ The Risk 4upport 6fficer ensures that risk management is conducted
=
4ource: '''$kno'ledgeleader$com
in a structured* systematic and continuous manner across the "ompany # business units$ The
Risk 4upport 6fficer.s specific responsibilities are to:
%aintain "ompany #.s risk management frame'ork 5tools and methodologies70
4upport business units in their use of these tools and methodologies0
%aintain risk management communication 'ithin the "ompany # organi-ation0
(f re!uested by a business unit* facilitate a risk assessment as part of the Three2year Plan
and as part of support for key decisions0
Provide an annual risk report for "ompany # +olding* as 'ell as a consolidated risk report0
"oordinate and supply training in risk management$
Company X $isk Compliance #uditor
The Risk "ompliance Auditor is responsible for revie'ing and reporting on ho' 'ell the business
units are addressing the re!uirements set out in "ompany #.s Risk %anagement Policy$ The Risk
"ompliance Auditor is generally e&ternally resourced and reports directly to the Audit and
"ompliance "ommittee$ The Risk "ompliance Auditor.s specific responsibilities are to:
Evaluate and report on the compliance of the business units 'ith "ompany #.s Risk
%anagement Policy0
Evaluate controls in key risk areas on an ad2hoc basis0
Evaluate compliance 'ith other "ompany # policies on an ad2hoc basis0
Revie' and report on the e&tent to 'hich management has applied "ompany #.s risk
management frame'ork$
>
4ource: '''$kno'ledgeleader$com