How to Develop Effective Risk Documentation

Good written risk documentation is both an art and a science. In a perfect world, the writer and subject matter expert (SME) come together as one. Unfortunately, we do not live in a perfect world, and this blend is difficult to find.

Today, too many risk documents are flawed. In some cases, they are too light on content or poorly written by the SME; in others, they are too aspirational.

John Thackeray

To achieve clarity, the risk documentation should be written from an independent viewpoint by someone who can challenge known assumptions with a questioning mind. The risk writer will need input from the business, and should be able to guide the organization toward ownership of the final document in collaboration with the SME.

When executed properly, a risk document will be an objective piece of writing, speaking the language of the organization while also being understood by the outside world. An organization can establish a positive attitude and commitment toward risk, and build its risk culture, with the help of effective risk documentation.

But how, exactly, can this be achieved?  

Documenting Risk: A Three-Step Approach

The board has overall responsibility for ensuring that a firm’s risks are managed. They delegate the operation of the risk management framework to the management team.

One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. Therefore, the board needs to be reassured that risk documentation is being properly used in pursuit of the company’s objectives.

Here are three steps your organization can take to ensure the efficacy of risk documentation:

1. Prioritize risk awareness and the development of a firmwide risk culture.

Clear risk roles and responsibilities that reinforce ownership and accountability must be established. Documentation underpins standard practices and policies, so a commitment to roles and responsibilities speaks to the adequacy of a firm’s internal control environment.

Aligned with cultural goals, most companies have a risk charter that is bound to the board and senior management. This charter dictates governance structure, which helps direct the performance of corporate objectives in a controlled fashion.

Part of a firm’s cultural attitude toward risk can be evidenced in its “review and challenge” process. Asking the right questions and verifying the correct answers demonstrate an organization’s comfort level with its governance and documentation processes. There must be a structure in place that allows employees to challenge these processes, when necessary. 

2. Choose and deploy the right metrics.

Metrics gauge the operational efficiency of documentation, and selecting the right ones will ensure that employees are compliant in terms of key performance and key risk indicators. Too few or too many of these metrics can paint a distorted picture; the chosen metrics must therefore be material and relevant to the documentation.

Regular reviews of these metrics – which include return on equity, risk-adjusted capital return and return on investment – will indicate whether the documentation is fit for purpose.

3. Continuously assess and review policies and procedures.

Reviews should consist of assessments of representative samples. They must include testing and validation by all engaged stakeholders.

Documentation needs to be recalibrated if your organization has too many – or too few – “escalation incidents” and/or exceptions. These exceptions and escalations should be actively tracked to gain an understanding of the validity of the documents. An assessment and review framework that enforces this is a sign that risk mitigation is part of the organization’s DNA.

Parting Thoughts

These three steps toward effective risk documentation are interlinked, each providing a layer of evidence that risk is being taken seriously by the organization.

Risk documentation is where the written word captures the spoken word, aligning intentions with actions. Firms that take the necessary steps to implement it will improve their enterprise risk management.

John Thackeray is a risk and compliance practitioner and writer. His firm, RiskInk, helps businesses control their risks by writing policies and procedures to mitigate them. As a former senior risk executive at Citigroup, Deutsche Bank AG and Société Générale, he has had firsthand engagement with U.S. and European regulators.