Early in my career I sat in on a credit review that fell apart over a question that should have taken ten seconds to answer: who was actually allowed to approve this loan? Nobody in the room could point to the document that said so. The risk appetite lived in a board deck from eighteen months earlier. The cutoff scores lived in an analyst’s spreadsheet. The exposure limits were folklore — a number people repeated without knowing where it came from. Every person in that room was competent and well-intentioned. The framework was simply invisible, and an invisible framework is, for practical purposes, no framework at all.

That experience taught me something I’ve seen confirmed at every lender since: a credit risk framework is not bureaucracy, and it is not a compliance tax. It is the machinery that lets a lending business make thousands of consistent, defensible decisions a day — and prove, after the fact, that each one was within appetite, properly authorised, and inside the limits. Get it right and you can scale, satisfy a regulator, and sleep at night. Get it wrong and you are one bad vintage or one examination away from a very uncomfortable quarter.

This piece is the long version: what the framework actually is, the five documents it comes down to, what belongs in each, the failure modes I see most often, a maturity model so you can locate yourself honestly, and a 90-day plan to build the whole thing from scratch.

Before the five documents, it’s worth being concrete about what you’re buying, because “good governance” is too abstract to motivate anyone. A missing or incoherent framework costs you in four specific ways, and all four are expensive.

The first is regulatory exposure. When an examiner asks to see how you decide, approve, and monitor credit, “it’s in various decks and people’s heads” is not an answer — it’s a finding. The second is loss leakage: without clear limits and authorities, exceptions accumulate quietly, concentrations build up unseen, and you discover the bet you made only when it goes wrong. The third is speed and scale: paradoxically, the absence of clear rules slows you down, because every non-standard decision becomes a debate. The fourth is key-person risk — when the framework lives in one experienced person’s head, you are one resignation away from losing your institutional memory.

A credit framework is the difference between a book you can defend and a book you’re hoping holds.

The framework is not a single binder. It is five documents arranged in a deliberate hierarchy, each with a different job and a different altitude. The logic runs constitutional → procedural → operational, capped by guardrails and held together by a binding layer. Get the hierarchy right and everything else becomes easier; get it wrong and the documents drift apart no matter how well-written each one is.

Figure 1 — The five documents and how they relate.

Here is the whole suite at a glance — what each document governs, who owns it, and how often it should be revisited. Notice that the altitude and the review cadence go together: the higher and more stable the document, the less often it changes.

The Credit Policy is the top-level, Board-approved document, and like a constitution it should be short, principle-based, and stable. It sets your risk appetite and loss tolerance, defines who you will and won’t lend to, establishes the concentration ceilings that shape the portfolio, and sets the outer bounds of pricing. It also states the principles for provisioning. Everything below it must sit inside it — no manual, no program, no exception may permit something the Policy forbids.

The single most common mistake is writing the Policy like a textbook or an operating manual. If you find yourself amending it every month, operational detail has leaked in from the layer below. The Policy should change rarely; the manual should carry anything that moves with markets or products. A good test: could this document survive a year untouched while the business keeps shipping? If not, it’s carrying detail that belongs elsewhere.

If the Policy is the what, the Manual is the how. It contains the underwriting criteria, the scorecard usage rules, verification and affordability standards, the monitoring triggers, and — crucially — the register of every live lending program. This is the document your credit operations team actually works from day to day, and it is allowed to change as products and markets move.

The risk here is drift. Because the Manual moves faster than the Policy, it can quietly start permitting things the Policy never intended — a looser cutoff here, an undocumented exception there. When the two disagree, you have a governance gap, and it is exactly the kind of gap an examiner or an independent review will find before you do. The programs register is your best defence: a single living list of what’s live, under what terms, and within which limits.

The Delegation of Authority answers the question that broke that early-career credit review: who is allowed to make this decision? It is the matrix of approval authorities by role and exposure, the rules for exceptions, and the escalation route when a decision exceeds someone’s limit. Done well, it means every credit decision traces to a person who was authorised to make it.

The mistake I see most is granting authority by seniority and then never watching how it’s used. Authority without monitoring is how losses hide: a single approver running a high exception rate or a deteriorating book can do real damage before anyone notices. Tie the matrix to monitoring — exception volumes and breach rates by approver — and the delegation becomes a control, not just a convenience.

Illustrative delegation matrix — thresholds are examples, not a recommendation.

Limits are what stop any single bet from sinking the book. The Portfolio Limits Framework caps exposure across the dimensions that matter — by segment, product, and channel — and, for digital lenders especially, caps the combined exposure of test-and-learn programs while they’re still unproven. The point is structural: no matter how attractive a niche looks, you decide in advance how much of the book it can become.

The mistake is limits that are asserted rather than derived. A ceiling that isn’t tied back to capital, loss tolerance, or a target return is just a number, and a number you can’t defend won’t survive a challenge in committee — let alone with a regulator. Every limit should have a one-line derivation behind it.

The fifth document is the one most teams skip, and its absence is why the other four drift apart. The Governance & Approval Framework binds the suite: it states the hierarchy (which document outranks which), defines how changes cascade and get reconciled, sets the cadence of consistency checks, and records what changed, when, and who approved it. It is the connective tissue that keeps four good documents from quietly contradicting each other on the loan cap, the trigger list, or the approval levels.

Put the five in order and the logic is clean: the Credit Policy is constitutional, the Delegation of Authority routes decisions, the Manual executes them, the Limits cap the whole thing, and the Governance Framework holds it together and manages change. When the suite works, every credit decision can answer three questions instantly — is it within appetite, who was allowed to approve it, and does it stay inside our limits? If a decision can’t answer all three, you’ve found a gap.

Almost every broken framework fails in one of a handful of recognisable ways. Here they are, with the symptom that gives each away and the fix.

Before you build, locate yourself honestly. Most lenders are somewhere between Level 2 and Level 3 — they have documents, but not the connective tissue. The goal isn’t Level 5 overnight; it’s to know which rung you’re on and what the next one requires.

Figure 2 — Five levels of framework maturity. Move up one rung at a time.

The jump that matters most is from Documented (Level 2) to Governed (Level 3): that’s where the hierarchy and delegation turn a pile of documents into a framework. Levels 4 and 5 — integrating limits with live monitoring, and reaching a self-auditing, change-controlled suite — are where mature digital lenders separate themselves, but they only pay off once the foundation is solid.

You don’t need a year. With focus, the core suite comes together in a quarter, in an order that front-loads the decisions everything else depends on.

Figure 3 — Build in the order the documents depend on each other.

In the first month, get the Credit Policy to a v1 and — more important than the prose — draw the one-page hierarchy and secure risk-appetite sign-off, because every later document hangs off those decisions. In the second month, write the Manual and the Delegation of Authority, and stand up the programs register. In the third, build the Portfolio Limits Framework and the Governance Framework, then run your first cascade-and-reconcile so the whole suite is provably consistent on day one.

Don’t start by writing all five documents. Start by drawing the one-page hierarchy — the five boxes and how they relate. Half the value of a framework is simply making its structure visible, because once everyone can see where each decision is supposed to live, the documents almost write themselves and the arguments stop. The hierarchy is cheap, it takes an afternoon, and it’s the single highest-leverage hour you’ll spend on credit governance all year.

Next issue: early warning indicators that fire before delinquency — the signals that save you basis points before a single payment is missed.

If this was useful, forward it to someone building a lending book — that’s how this grows.

Views are my own and do not represent my employer.