A recent WSJ headline referenced one major bank's problems as regulators challenge its risk management practices. This made me think of comments I usually make during our firm's Fundamentals of Performance Measurement course, when I touch on risk management: having a risk policy can be risky!
This comment is based on a consulting assignment we had several years ago, that involved a plan sponsor's challenge of one of its managers risk management policies. They felt that the manager had failed to live up to their documented control procedures, and we were asked to conduct an analysis to discover what we could regarding this matter.
Of course, a policy has to be sound and as complete as possible. The point here is that having one on paper but not in reality can be hugely problematic. Not having one is also a problem, as more and more clients expect to see some risk management in place. I recall a NYC asset manager client who contacted me one day about establishing one: their largest client had asked what their policy was, and the reality was that they didn't do any risk measurement or management.
Policies, procedures, and controls cannot reside only on paper; they must be exercised and validated occasionally, to ensure they are performing as expected, and from time to time enhanced, too.