A few days ago, I visited one of my close friends at her offices. My friend owns a small food processing industry with an investment in the machinery of about US Dollars 100,000 and employed about 30 persons. The technical team and support team comprise 25 and 5 personnel, respectively.  The rules of our country require such a company to prepare annual accounts and get audited every year.  It should also file annual returns to the Registrar of Companies and the respective Revenue Authority.

While getting in, two guys were getting out of the office through the main gate. To my surprise, I found my friend looking very exhaustive.  Of course, I could not tie her exhaustion with the people I mate at the gate. Thus, I asked how long was her day, and she replied that it was very long and demanding.  I inquired further as to what was that which made the day too long and demanding? She responded by asking if I saw some two guys getting out. I said yes. She then said that they were a source of my long and demanding day. Before I asked a follow-up question, she told me that the company auditors questioned why it missed an essential ingredient for its prosperity. And the missing ingredient was the Risk Management Policy.

The auditors gave a deadline for me to have a draft policy in place. The bad side of it is that they did not even provide a clue of what it is and how I should prepare it? I find it an enormous burden considering the deadline and the tight production and marketing schedules I have at the moment.  I asked her if that was all in making her that much tired. She said yes because I have no idea how the risk management policy looks like? I m not even aware of what it is and what are the main components of the policy.

To make matters worse, they gave me a deadline which I m sure I can meet it. And you know the auditors, my friend when they say they mean it? Then I told her to take a glass of water and relax. I gave her the entire picture of what the risk management policy is all about and its importance for the company’s prosperity.

For the benefit of the rest of my friends, I’m presenting what I shared with her here. Please read the presentation carefully, and customize it to fit your business environment.

What is Risk Management Policy?

What is risk

Risk refers to the possibility of undesirable events (or situations) occurring that might prevent or impact attaining company objective(s). The impact can be a threat to the delivery of the goals or resulting in a missed opportunity. These threats could stem from various sources, including financial uncertainty, legal liabilities, accidents, natural disasters, and many more.

What is a risk management

Risk Management is a process for identifying, assessing, managing and controlling potential events or situations or threats to organizational performance. Therefore, adopting a risk management framework that embeds best practices into the corporate risk culture is essential.

What is Risk Management Policy?

Risk Management Policy Is the set of formally documented instructions, approved by internal governing bodies, that define sufficiently the operational detail, an organization’s perception and attitude towards the range of risks it faces, and the desires to manage. Thus, the policy enables identifying risks to the organization, prioritizing the risks in terms of magnitude and immediacy, and designing measures to avoid or minimize those risks.

Contents of the Risk Management Policy

Regardless of the type of company and activities, the following 12 main items are essential in the risk management policy. Each company, therefore, will have to customize some areas according to the activities of the company. Thus, using the XYZ company, you have the skeleton of the risk management policy with examples of having each item covered.

The main items include purpose, scope, risk governance, risk management processes, Integration with other systems and processes, risk categories, risk register, risk reporting, risk management performance, risk appetite, risk approval, and reference documents described below.

1.    Purpose:

Here, you need to outline the purpose of the respective risk management policy. In many cases the purpose looks like the following example.


 The purpose of the risk management policy of XYZ company is to guide the management of risk to support corporate objectives, protect staff and business assets and ensure financial sustainability.

2.    Scope

Here you need to specify who is this policy for.


This policy applies to all XYZ Company activities. It forms part of XYZ Company governance framework applicable to all employees, contractors, casual laborers, and other stakeholders.

3.    Risk Governance

Provide an overview of the risk governance structure of the organization. Indicate who is involved in risk management and what their responsibilities are.

Example: See below

Board/ Steering CommitteeApprove the policy, and provide oversight and review of the risk management
Internal Audit and Risk CommitteeResponsible in Overseeing regular review of the risk management activities
Chief Executive OfficerDrives culture of risk management and signs off on annual risk validation
Risk ManagerUndertakes continuous improvement of the risk management policy, strategy and supporting framework
All Other ManagersEnsure staff in their business units comply with the risk management policy and foster a culture where risks can be identified and intensified
Staff, Contractors and stakeholderComply with risk management policies and procedures  

4.Risk Management Processes

Here, you make a list of the steps involved in the risk management process. For practical guidance on the process make reference to the risk management procedure.


According to the risk management procedures of XYZ company, in undertaking a risk management process, the company will follow the following steps: establish the context, identify the risk, analyze the risk, evaluate the risk, treat the risk, and monitor and review the risk.

5.    Integration with other systems and processes

Management of risk is part and parcel of the company processes. Here you should describe how risk management is integrated and embedded into organizational processes.


This Risk management policy is cognizant of business planning systems, performance management systems, audit and assurance rules and procedures, business continuity management strategies, and project management.  Thus, you need to explain how the risk management process and approaches are integrated and embedded into the company processes and systems.

6.  Risk Categories

Risks are set in various categories depending on the activities you are doing. Thus, you need to specify risk categories that will be included in your risk register and risk reporting.


The risk categories for XYZ company that deals with the food processing industry that my friend include strategic, financial, environmental, safety, people, and reputation.

7.  Risk Register

Specify the purpose of the risk register. Include details on the types of risks to be included on the risk register.


There will be two risk registers  (the strategic risk register and the operational risk register) maintained by XYZ company. All risk registers will provide information, among others the risk categories, who will review the risk register, and how often the register will be reviewed. Furthermore, the criteria for adding or removing any risk category will be described in the risk register.

8.  Risk Reporting

In this area, you are required to outline the risk reporting requirements to create awareness of key risks, improve accountability for the management of risk, and the timely complete risk treatment plans. You will also provide details on who prepares reports, which reviews reports, and how often reports are reviewed.


The Chief Risk Officer of XYZ company will prepare both the strategic risk register and the operational risk register. However, the Audit Committee will review the strategic register every quarter, while the Operational Committee will review the operational risks every quarter

9.  Risk Management Performance

The policy should show that the organization will measure the performance of the risk management activities. Thus, the how will be outlined here to assess how effective risk management supports corporate objectives.


XYZ company will measure the risk management performance using internal audits completed per annum, the number of internal audit findings accepted by the management, the timeliness of remediating internal audit findings, the reduction in the number of extreme risks in the risk register.

10.              Risk Appetite

ISO 31000, defines risk appetite as “the amount and type of risk that an organization is prepared to pursue, retain or take.” Therefore, through the risk management policy, you need to make a risk appetite statement that articulates the amount and type of risk that the is prepared to pursue, retain, and take.

11.                       Review and Approval

At this point, the risk management policy should state how often and who will review the risk management policy, considering the progress made in improving the risk management implemented across the organization.

12.               Reference and related documents

Here, you are required to list all the reference documents, forms and other related documents.

In addition to the above main items the risk policy should indicate the approving authority and date of approval.