Risk policy is the documentation of an organisation's risk tolerance, risk appetite and risk budget.
It includes predetermined actions the organisation will take, or have in reserve, to deal with the range of future situations that might arise.
Risk policy should cover commercial as well as treasury approaches to exposure management.
The policy should make explicit that a risk management system has been designed to provide reasonable assurance of achieving business objectives.
It should assign accountability for managing risks and reporting results on effectiveness of the system to executive management.