I do not have a one-stop site either, but I believe certain statutes and regulations require policies -- such as BSA/AML, CIP, information security/GLBA, nondeposit investment product sales, fiduciary activities, privacy, etc. The NCUA exam manual basically states that management should have policies and procedures for all major phases of the credit union's operations. I know the FDIC does not apply to your case, but I thought the excerpt below from their Risk Management Examination Manual was on-point.
Regulating the Manner in Which All Business of the Bank is Conducted
Directors must provide a clear framework of objectives and policies within which executive officers operate and administer the bank's affairs. These objectives and policies should, at a minimum, cover investments, loans, asset/liability and funds management, profit planning and budgeting, capital planning, internal routine and controls, audit programs, conflicts of interest, code of ethics, and personnel. Specialty areas, such as the Bank Secrecy Act (BSA), Information Technology (IT), Trust Department activities, and consumer compliance should also be subject to similar appropriate oversight and internal guidelines. Objectives and policies in most instances should be written and reviewed periodically to determine that they remain applicable.