Risk policy

From CEOpedia | Management online
Risk policy
See also

Risk policy framework is created at high-level of organisation's structure. It has within three below phases[1]:

  1. risk assessment,
  2. risk management,
  3. risk review.

The risk policy treats mainly about communication and consultation. The goal of risk communication is to identify risks, to educate people and to inform them about scale of risk. Understanding risks and accepting them is an perfect outcome of proper risk policy, because trust of public towards the organisation is built[2]. Borghesi A. and Gaudenzi B. advices that the risk policy should[3]:

  • be kept up-to-date,
  • has special documentary,
  • develop strategy related to the risk,
  • treat about auditing compliance,

Challanges in creating the risk policy

Many organisations have diffutilties while it comes to implementing the risk policy. The reasons might be the following[4]:

  • Risks are interrelated - risks are usually very complex therefore they require treatment on many levels parallelly,
  • The way of communicating risks - when there was proper risk assessment and possible responses were predicted there is chance that risks will be communicated in effective way, however, sometimes the whole process is prepared in a crisis which may cause failure of communication,
  • Failure is risk assessment - also might be impacted by preparation in crisis, for example when new regulations is made rapidly and problem was not assessed deeply upfront,
  • Subjective perspective of risk - some risks might be subjectively overestimated or underestimated versus opinion of experts, the reasons of it can be culture or past events which impacted the public,
  • Communicating and responses to the public- often there is an expectation to reduce risk to zero, which sometimes might be not possible, therefore it may become cost-ineffective,
  • Separating risk assessment from risk management - risk assessment and risk management are two separate exercises, however often they are institutionally joined what may impact lack of objectiveness in final decisions.

Risk policy document

The risk policy document may consist of below chapters[5]:

  • Introduction,
  • Statement of risk policy,
  • Risk evaluation,
  • Benefits from risk evaluation,
  • Comparing risks and benefits,
  • Developments in practice.

Policy impact on risks

Looking from another perspective, so how governance policy may impact risks, there are two main types[6]:

  1. Prospective policy risks - overall uncertainty which negatively affect on planning of project,
  2. Retroactive policy risks - changes in policy or regulatory which affect the financial stability and require additional investments.

Author: Patrycja Mikołajczyk


  1. OECD (2010), p.19
  2. OECD (2010), p.19
  3. Borghesi A., Gaudenzi B. (2013)
  4. OECD (2010), p.19-21
  5. (2015) Heriot Watt University
  6. Micale V., Frisari G., Hervé-Mignucci M., Mazza F. (2013)