Risk management policy is, in the conventional governance model, reviewed annually. The review is usually presented to the board risk committee, approved with modest amendments, and filed. The cycle repeats. The institution maintains a current policy library on paper.
In substance, the question worth asking is when the institution’s risk policies last received a deep refresh — a review that began from the question of whether the policy still reflects the institution’s actual risk profile, rather than from the question of whether the existing structure needed minor adjustment. For many institutions in the GCC, the answer is somewhere before the pandemic. That is a problem of substance, not of procedure, and it is one that supervisors are increasingly examining in thematic reviews.
The risk vectors that institutions face in 2026 are not the risk vectors that the policies of 2019 were designed to govern. Each would warrant a substantive policy review individually. The accumulation of them all over a multi-year period is the structural argument for a deep refresh rather than another incremental cycle.
Cyber threats have evolved from a category requiring specialist attention to a primary enterprise risk. Climate and ESG considerations have moved from a marketing dimension to a substantive credit risk factor. Operational resilience has been formalised as a regulatory expectation across multiple jurisdictions. The behaviour of corporate and retail deposits in stress has been reshaped by digital channels.
What a deep refresh actually examines
A policy refresh that is more than a date update tends to examine four areas in depth, each of which often surfaces gaps that the annual review cycle does not.
The first is the risk taxonomy itself. The categories under which the institution organises its risk thinking — credit, market, liquidity, operational, strategic, reputational, compliance — were settled in most institutions a decade or more ago. The taxonomy has been extended at the edges as new categories emerged. Cyber risk is now in most taxonomies. Climate risk is in some. Third-party risk is in many. What is often missing is a coherent reassessment of whether the existing taxonomy still maps to the institution’s actual risk profile, or whether categories have accumulated through accretion rather than design.
The substantive test for the taxonomy is whether each category has clear ownership, clear measurement, clear appetite, and clear reporting. A category that has no measurement or no appetite is a category that exists in name only. The refresh exercise often finds that the institution has more categories than functional governance, and that consolidation or reorganisation would produce a more usable framework than continuing to extend the existing one.
The second is the linkage between risk policy and risk appetite. Most institutions have both documents. The linkage between them is often weaker in practice than the documents suggest. The risk policy might specify concentration limits for the corporate book that the risk appetite then does not enforce as a binding constraint. The risk appetite might specify a tolerance for operational losses that the operational risk policy then does not translate into specific control standards. The refresh exercise examines whether the appetite is operationally translated into the policy, and whether the policy operationally enforces what the appetite expresses.
The third is the integration of new risk vectors into the substantive policy framework, rather than as standalone documents. Cyber risk policy is most useful when it is integrated into the operational risk framework, not held separately. Climate risk policy is most useful when it is integrated into credit risk underwriting and into the macroeconomic overlay framework for IFRS 9, not held as a separate document for ESG reporting purposes. Operational resilience is most useful when it is embedded in the operational risk framework with specific impact tolerances for critical business services, not as a separate compliance workstream. The refresh examines whether integration has occurred or whether new risk vectors sit as parallel documents to a largely unchanged original framework.
The fourth is the governance structure that runs the policy framework. Risk committees that were appropriate for a 2019 risk profile may not be appropriate for a 2026 risk profile. The substantive question is whether the institution’s risk committees have the composition, the cadence, and the information flow that the current risk landscape requires. The refresh exercise sometimes surfaces that the committee structure itself needs adjustment — additional sub-committees, modified terms of reference, or reallocation of responsibilities between committees.
Where the largest gaps usually sit
Across the policy refresh engagements we have conducted over the past two years for institutions in the GCC, the largest gaps have tended to cluster in three areas.
Cyber risk policy is the area where the gap between documented framework and operational reality has most consistently surprised institutions during refresh exercises. The cyber policy document often exists. Its substantive integration with the broader operational risk framework is often weak. The cyber risk appetite is often expressed in qualitative terms that do not translate into specific control standards. The reporting from cyber risk to the board is often technically dense in a way that obscures rather than illuminates the residual risk position.
Concentration risk in the credit policy is the second area where refresh exercises commonly surface material findings. The concentration limits set in the policy were typically calibrated against an earlier portfolio composition. The actual portfolio has evolved. The single-name limits, sector limits, and geographic limits may no longer represent the institution’s intended risk-taking. A refresh that recalibrates these limits against the current portfolio and the current strategic plan tends to be the part of the exercise that produces the most immediately actionable findings.
Operational resilience as a substantive discipline rather than as a labelled section in the operational risk policy is the third area. The Basel and FSB direction on operational resilience requires institutions to identify critical business services, set impact tolerances for them, map the resources required to deliver them, and test the institution’s ability to remain within the impact tolerances during severe but plausible disruption scenarios. Many institutions have begun this work. Few have completed it in the depth the supervisory expectation now requires.
ESG and climate — moving from category to integration
The most significant single shift in the risk landscape since pre-pandemic policy frameworks were written has been the integration of climate and ESG considerations into substantive risk management. The shift has occurred at different paces across institutions and across jurisdictions, but the supervisory direction of travel is now consistent enough that policy refresh exercises need to engage with it directly.
For GCC institutions specifically, the relevant integration is in three areas. Credit underwriting needs to incorporate climate-related transition risk for obligors in carbon-exposed sectors, with the integration being substantive rather than ceremonial — actual underwriting standards modified to address transition risk, not a disclosure paragraph added to existing policy. IFRS 9 forward-looking scenarios need to incorporate climate paths consistent with NGFS scenario libraries or comparable frameworks, with the linkage between climate scenarios and ECL outputs traceable. Stress testing scenario libraries need to include climate stress scenarios, both physical and transition, with the institution’s resilience to such scenarios documented and reported.
This integration is rarely a quick exercise. It is also, increasingly, a supervisory expectation that the institution has begun the work in a structured way rather than addressing climate considerations purely through ESG reporting.
The discipline of policy currency
Beyond the deep refresh itself, the discipline that distinguishes institutions whose policies stay current from those whose policies drift is the explicit governance over when a refresh becomes necessary. The annual review cycle is necessary but not sufficient. The supplementary discipline is to specify, within each policy, what conditions would trigger a deeper refresh — material change in business strategy, material change in regulatory expectation, material change in the institution’s risk profile, or material findings from supervisory review or audit.
Institutions that have this trigger framework tend to identify the need for deep refresh earlier than institutions whose only review mechanism is the annual cycle. The trigger framework also makes the deep refresh, when it occurs, a planned exercise rather than a reactive one — which materially affects the quality of the work and the substantive engagement of the relevant committees.
A closing observation
The institutions that have done refresh work well have tended to allocate clear sponsorship to the exercise at executive committee level, set timelines that allow substantive engagement rather than procedural completion, and treat the refresh as an opportunity to align the policy framework with the institution’s actual strategic direction rather than as a compliance deliverable. The policy that emerges from that kind of refresh tends to govern the institution’s risk-taking effectively for several years. The policy that emerges from a procedural refresh tends to need another refresh before its formal cycle is complete.