Practical ideas: Develop a high-level Risk Management Policy

It is generally considered a good idea to document an organisation’s attitude and commitment to risk management in a high-level document, such as a Risk Management Policy. The policy may describe the general attitude of the company towards risks, risk management principles, roles and responsibilities, risk management infrastructure as well as resources and processes dedicated to risk management. Section 4.3.2 of the ISO31000:2009 also provides guidance on risk management policy.

An article published by Michael Rasmussen back in October 2010 ‘Enterprise Risk Management Policy Structure’ provides an outline of what should be included in a risk management policy and notes that the organisation’s policy should not be “boilerplate.” The policy should reflect the actual activities undertaken by the company and its attitude and approach to managing its material business risks.


Alex has created a short bootcamp designed to help companies implement quantitative risk management. Imagine saving the company so much money that investing in risk management competencies and resources becomes a no brainer for the executives. That's exactly what Alex Sidorenko did at a global $10B chemical company and he has been kind enough to share his top tips and lessons learned with you each week. Sign up now!

Review ISO31000:2009 section 4.3.2

Download a free sample Risk Management Policy from management-policy-detailed/

Adjust the sample Risk Management Policy to reflect organisational maturity and specific details

Validate the policy with the stakeholders

Approve it then publish it on the company website and make it accessible to employees and contractors


What should a typical risk management framework include? Should an organisation develop a single integrated risk management framework document or is there a better way to integrate risk management into business processes and corporate culture?

Alex Sidorenko from RISK-ACADEMY talks about documenting and publishing a risk management policy.


RISK-ACADEMY offers online courses

+ Buy now

Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

+ Buy now

ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

+ Buy now

Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.