I think we have a policy for that ... somewhere

Part of risk management is making sure that the risk management framework (a hierarchy of policies, standards, guidelines and procedures) remains accessible to every person in the organisation through: language (use simple words); presentation (make it easy to find important bits); location (policy is of no use if you don’t know where to find it); relevancy (policy on proper usage of the stapler is generally not required). In most organisations each business division, or even team, will eventually desire their own policies.