It is generally considered a good idea to document an organisation’s attitude and commitment to risk management in a high-level document, such as a Risk Management Policy. The policy may describe the general attitude of the company towards risks, risk management principles, roles and responsibilities, risk management infrastructure as well as resources and processes dedicated to risk management. Section 4.3.2 of the ISO31000:2009 also provides guidance on risk management policy.
An article published by Michael Rasmussen back in October 2010 ‘Enterprise Risk Management Policy Structure’ provides an outline of what should be included in a risk management policy and notes that the organisation’s policy should not be “boilerplate.” The policy should reflect the actual activities undertaken by the company and its attitude and approach to managing its material business risks.
USE THE CHECKLIST PROVIDED BELOW TO TURN THIS SECTION INTO ACTIONS
☐ |
Review ISO31000:2009 section 4.3.2 |
☐ |
Download a free sample Risk Management Policy from http://www.risk-academy.ru/en/download/risk management-policy-detailed/ |
☐ |
Adjust the sample Risk Management Policy to reflect organisational maturity and specific details |
☐ |
Validate the policy with the stakeholders |
☐ |
Approve it then publish it on the company website and make it accessible to employees and contractors |
USEFUL VIDEOS
What should a typical risk management framework include? Should an organisation develop a single integrated risk management framework document or is there a better way to integrate risk management into business processes and corporate culture?https://www.youtube.com/watch?v=KMuhcmeJRgE
Alex Sidorenko from RISK-ACADEMY talks about documenting and publishing a risk management policy. https://www.youtube.com/watch?v=iFc0CXdTYfs
USEFUL LINKS AND TEMPLATES
- Sample Risk Management Policy (short version) –
http://www.risk-academy.ru/en/download/risk management-policy-short/ - Sample Risk Management Policy (extended version) –
http://www.risk-academy.ru/en/download/risk management-policy-detailed/
Check out other decision making books
RISK-ACADEMY offers online courses

Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.