Integrating policy risk into enterprise risk management

Policy-related risks to consider: 1) Regulatory non-compliance risk from outdated policies, 2) Operational risk from unclear or conflicting policies, 3) Reputational risk from policy gaps becoming public, 4) Legal/litigation risk from policy violations, 5) Strategic risk from policies not aligned with business direction. For quantification, we use a combination of likelihood (based on review currency, incident history) and impact (regulatory fines, operational disruption costs). Consider tracking "policy health scores" based on review status, exception volumes, and training completion rates.