How to write a Risk Management Policy

…continua a leggere

The financial risk management policy outlines the Company’s risk management process and sets out people responsibilities. It is reviewed periodically to ensure the actions remain appropriate and effective. The risk management policy consists of three main elements.


  • Risk Identification. Financial risks are classified as follows:
    • Market risk: involves the risk of changing conditions in the specific marketplace in which a company competes for business (FX risk, commodity risk, interest rate risk).
    • Credit risk: refers to the default probability of a counterparty.
    • Operational risk: refers to the various risks that can arise from a company’s ordinary business activities (Processes, IT Systems, Regulatory, Compliance)
  • Risk Assessment. Risk Assessment goal is to document the net effect of all identified risks by assessing:
    • Likelihood of each risk;
    • Impact of each risk;
    • Prioritisation based on scales.
  • Risk Strategy. risk strategies can be handled in three ways:
    • Avoid the risk: you have identified the risk and you decide to avoid all actions/activity related to it. This strategy is generally applied when the risk is not directly linked to the Company’s core business.
    • Accept the risk: while you have identified the risk you take no action, accepting that the risk might happen. This is strategy is generally applied to small risks .
    • Mitigate the risk: you have identified the risk and you take many actions in order to mitigate risk’s impact on returns, implementing hedging strategies (natural hedging or financial instruments) and using new technologies. This strategy is generally applied when the risk is directly linked to the Company’s core business.


  • Board. The Board is responsible for the strategic and operational effectiveness of the organisation and is required to:
    • Identify the key strategic risks
    • Identify the optimal management strategy with the support of the Risk Committee
    • Define the threshold for each risk;
    • Approve the Risk Policy and delegate the oversight activities to the Risk Committee
    • Approve any strategic corrective actions, if necessary.
  • CFO. The CFO is responsible for Risk Commettee coordination and managing and Risk Team management in order to ensure accurate and timely monitoring of all financial risks.
  • Risk Committee. Risk Commitee oversight risk management activities and is required to: Review the processes for identifying, monitoring and managing significant business risks
    Update risk management and mitigation strategies on ordinary basis (half-yearly, annual basis depending on the core business) and in special conditions, due to:Exogenous factors: changing market dynamics, competitors context etc…
    Endogenous factors: changing core business, risk exposure due to M&A transactions etc…
    Report to the Board on the level of risk exposure and effectiveness of the risk management Policy.
  • Risk Management Team. The Risk Management Team is responsible for the reporting activities, the controls execution and the implementation and updating of the risk metrics. It also contributes to the Risk Policy update on an ordinary and extraordinary basis.


  • Financial risk management dashboard: the financial risk management dashboard brings together into one report the quantification of the most important risks, with Board-imposed ceilings. The summary is generally submitted to the Board not less frequently than quarterly.
  • Financial risk register: detailed risk report on each financial risks.
  • Financial statements: (e.g. balance sheet, income statement, funds-flow statement) the financial statements are an important tool for monitoring financial risk computing the key financial ratios and they allow for timely course correction. These are reviewed not less frequently than semi-annually.

…Article in progress, Finance Never Stop