Clear, concise, consistent, doable – rules for a risk policy

Effective risk policies may be elusive, but they’re a must, say two veterans of the art


No shirt, no shoes, no service. The pithy policy at many a beach bar entrance lays clear ground rules for management, employees and clients alike.

For financial institutions, however, creating and implementing a written risk policy is no day at the beach; it is often a struggle that can leave them vulnerable to serious problems. Some of the more harmful ones are financial loss, reputational damage, regulatory action and strained relationships with clients. Failure to set a clear risk strategy can also blur a firm’s mission.

In finance, it is a necessity that risk management policies be clear, concise, actionable and consistently followed. Although creating and maintaining effective risk policies is an organisational challenge, it is achievable over time with planning, expertise, sustained effort – and support from senior management.

Effective risk policies are not about box-checking or simply meeting compliance requirements; they express the most fundamental criteria for an organisation’s strategy, identity and approach to risk-taking.

In describing such efforts, the words ‘policy’ and ‘procedure’ are often used interchangeably, but they have different roles that are frequently misused or misunderstood.

Broadly speaking, a risk policy is a formal written statement – designated as such – describing actions that are either required or prohibited. Procedures, however, provide employees with instructions on how to perform a function, such as opening an account for a new customer.

Charles Fishkin
Charles Fishkin

While policies typically apply to an entire organisation, procedures often vary by business. A global credit policy might be supported by separate policies and procedures for different divisions, such as wholesale trading, corporate lending, retail or credit cards.

Many organisations have separate policies for significant risks or functions and might have hundreds of policies. In functional terms, these can include new client approvals, vendor selection, permitted investments and safeguarding data privacy – or such risks as model risk, market risk, credit and operational risk.

Large global organisations often maintain multiple policy tiers, where broad statements of global risk appetite are supported by more detailed statements for specific divisions or business units.

Although written policies are essential, they can be a challenge for organisations to create and maintain. Policies frequently lack a clearly stated purpose – because organisations have no consistent or common agreement on what a policy should accomplish. It thus becomes difficult to determine whether a policy is fulfilling its intended purpose. Often – and certainly in smaller firms without a developed operational risk function – no-one owns the process for creating and maintaining policies.

It is a frequent occurrence that organisations will intentionally avoid creating policies on ambiguous or controversial issues – just where they are most needed. Examples include approval of complex or novel transactions, approving questionable customers or expanding the use of existing products for new and riskier applications.

If there is no formal policy, there can be no violation – and no added requirement to determine whether a policy might have been followed. A portfolio manager who invests in private equity transactions, for example, may want to retain broad flexibility to structure deals – and might therefore resist requirements to review investment terms with an oversight group. Yet such flexibility could also exclude an appropriate assessment of reputational risk and other key risks.

Where they do exist, policies frequently have either insufficient or excess detail. Some are overly general or high level and some state the obvious; they often fail to offer guidance on the most essential matters. Others are so specific and expansive in their detail as to make it hard for readers to identify key requirements. Consequently, staff members maintain their usual established practices, regardless of policy requirements.

One frequent complaint from staff members is that policies are overly complicated and difficult to use. A firm’s employees should not need a lawyer to determine what a policy requires. A related outcome is that even the most well-intentioned employees do not know which policies apply to their specific roles. For example, when Credit Suisse’s operational risk head, a former trader, took over his role, he concluded that the bank’s handbook for traders was so long no-one would finish it, so he set it aside and rewrote it

In larger firms, such as multinational banks, it can also be unclear who has authority to make policy exceptions. Without a clear process to follow, it can be difficult for organisations to quickly make decisions or respond to clients. Again, Credit Suisse provides a recent example of making an exception to perceived policy rules.

Errors of omission

A firm’s senior leadership or its board of directors is rarely involved in the creation of risk policies – a regrettable oversight because such leaders and board members should ultimately define an organisation’s appetite and tolerance for risk.

Policies are often not flexible enough to address extreme and unexpected conditions effectively, such as a global pandemic, severe power outages or insurrection. Consider the recent market disruption relating to GameStop, which exposed the vulnerabilities of organisations to extreme market volatility. The situation highlights the theme that effective policies must be in place before a crisis occurs.

It is not a one-time exercise to create effective risk policies. It is an ongoing process. Although there is no easy fix, organisations can make substantial progress over time 

On an important and related theme, some employees are effectively treated as exempt from policy requirements. Usually the ‘stars’ of the organisation – those who generate the largest amounts of revenue or have significant client relationships – sometimes ignore behaviours that contravene their own firms’ policies. Yet an unchecked minor infraction can escalate into serious problems, resulting in regulatory fines, legal settlements and fees. Consider the many familiar situations, such as the inappropriate sale of financial products, efforts to manipulate Libor or taking on clients that expose an organisation to reputational risk.

During his 2015 trial over Libor-rigging, for instance, Tom Hayes spoke of a culture he claimed failed to reprimand revenue-generators for questionable behaviour, admitting he was rarely challenged over his actions.

Moreover, often policies are not revised when there are changes in an organisation’s strategy, significant reporting relationships or product and service offerings. For example, the chief risk officer at Citizens Financial Group expressed this theme in relation to the separation from Royal Bank of Scotland. The point was also discussed recently by the chief risk officer of Nordea Asset Management, when he moved to the fund from a bank.

As a result, employees often come to view policies as irrelevant and ignore them.

Jay Newberry
Photo: Greenwich Risk Management Consulting
Jay Newberry

It is not a one-time exercise to create effective risk policies. It is an ongoing process. Although there is no easy fix, organisations can make substantial progress over time if they provide the necessary motivation, effort and resources to explore creative and pragmatic solutions.

Among specific steps to consider, a useful start is to establish a team of professionals who can develop and oversee the creation and revision of policies.

Involve the necessary experts, whether internal or external, in both design and content. Ask this team to create a comprehensive inventory of all policies – followed by a thorough review of each – both as standalone documents and as components of existing policies.

Alongside this, create an efficient process for exceptions and describe it clearly in the policy itself. Design policies in a consistent style and format that can be understood by the people using them. Create policies in digital form within a comprehensive library so that they can be organised, accessed, searched and cross-referenced easily.

Examine the effectiveness of policies and revise them as needed. As appropriate, remove policies that are obsolete or no longer needed. Provide anonymous and safe channels for individuals to report observations of non-compliance.

As with all other policies, risk policies must be relevant, usable and applied consistently.

Serving suggestions

Carefully designed risk policies will provide their organisation with tangible benefits that easily justify the expense of creating and maintaining them. Not least, this process will provide an enhanced understanding of which risks organisations should take and which they should avoid, enabling the organisation to deploy its people, capital and intellectual assets in the most productive way. It will reduce the number and size of policies, as some are identified as redundant and others obsolete.

Effective risk policies will also provide a clear process to enable potential risk events to be identified, assessed, reported and managed properly. They will increase clarity around the roles of the various stakeholders – including employees, senior management, third parties and the board of directors. They will also create a clear and efficient process for obtaining exceptions and for escalating them to the appropriate levels.

In turn, this will promote employee satisfaction, helping staff members better understand the scope and demands of their jobs and perform them more effectively.

A central aspect of these benefits is the participation of senior management and the board of directors in formalising the expression of an organisation’s appetite and tolerance for risk. This will send a clear message to its shareholders, equity analysts, journalists, elected officials and regulators about the organisation’s mission and strategy.

Well-designed risk policies enable organisations to use their capital, people and technology to the fullest possible extent.

Much more than a mere exhortation to follow a given set of rules, they are a strategic necessity.

The views expressed here are the authors’ own and do not necessarily reflect the views of any other organisation.

Charles Fishkin is the former director of the Office of Risk Assessment at the US Securities and Exchange Commission. He is an adjunct faculty member in the Master’s Programme in Financial Engineering at Bernard M Baruch College of The City University of New York.

Jay Newberry is an independent risk management consultant. He recently retired from a 30-year career at Citigroup. Among his roles there, he was responsible for development and oversight of global risk management policies and served as managing director and global head of Citi’s operational risk management framework. He has also taught in the Master of Science Programme in Enterprise Risk Management at Columbia University in New York.


Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here