As an inanimate object one would think that a risk policy document would not lead to such intense, passionate discussion at the drafting stage. A policy document is just a policy document, where are these extreme reactions coming from?
Apparently there are two schools of thought when it comes to crafting policy. The less is more school of thought believes that a policy document should be philosophical in nature and rather than describing all risks in great detail, it should focus more on how risk would be handled and treated at a (you guessed it) at a policy level. For this school a policy document focuses more on the logistics of approvals, exceptions and mandates rather than actual limits or categorization of risk. The risk identification, limit setting, evaluation and reporting component is left to the supporting process document that accompanies the policy everywhere.
In their defense the less is more school believes that Boards do not have sufficient time to do justice to risk policy. An involved, multi chapter risk policy document would only get a superficial review at the Board level and would most likely get stamped for approval on account of the shortage of time and the competition for attention within the number of items on Board’s agendas’ these days. So it is better to keep the policy short, sweet and relevant and shift the details to the process document that may or may not require direct approval from the Board. As long as the process document is in alignment with the policy, the Board has discharged its primary obligation by reviewing and approving the policy document without creating un-necessary delays in the approval process. There after the Board can be pulled in and involved on an as needed basis on risk issues without spending too much time on the approval of minor or process oriented changed to the policy or process documents.
On the other side is the descriptive and prescriptive school of policy thought. Under this approach the policy document is a far more comprehensive write up that not just includes the types and categories of risks addressed but also suggested and proposed limits. These policies include everything the less and more school suggests and then some.
Both schools have their place in a risk group. Which one is right depends on how involved your Board is in the risk management process, the frequency with which it meets, its composition, its accessibility and the amount of time it can honestly devote to risk items on its agenda. Where a Board’s risk review group includes members whose availability and time is limited, where risk committee meetings are held once every quarter and where even ordinary risk items often get covered over multiple Board meetings, the less is more school is a better bet. Where Board’s are more actively involved and Board members are easily accessible and where risk agenda items are covered in the same meeting, the second school may be more appropriate.
In the end what really matters is that both the process and policy documents support the reality that unfortunately exist regarding demands on Board of Directors time, at least here in this region. In the absence of SOX like regulation in large parts of Middle East and Asia Pacific it means that your policy documents shouldn’t turn the Board of Directors meeting into a recurring bottleneck when it comes to implementing risk policy.