| Key Takeaways |
| A risk management policy is the board-approved document that defines why the organization manages risk, who owns it, how the process works, and what authority levels apply. The policy sits above procedures, standards, and guidelines in the governance hierarchy and provides the mandate for all risk management activities. |
| A complete risk management policy contains 12 sections: purpose, scope, definitions, risk management principles, governance structure, roles and responsibilities (RACI), risk appetite and tolerance, risk management process, risk categories, reporting and escalation, policy review cycle, and related documents. |
| ISO 31000:2018 Clause 5.2 explicitly requires organizations to establish a risk management policy as part of the framework component. The policy should express the organization’s commitment to risk management, assign accountability, allocate resources, and describe how conflicts of interest are managed. |
| The risk management policy is not the risk management plan. The policy states what must happen and who is accountable. The plan describes how the process will be executed, with timelines, budgets, and specific activities. The policy is approved by the board. The plan is approved by management. |
| Only 26% of organizations have strong cross-functional collaboration on risk with a holistic view (KPMG, 2025). A well-structured risk management policy addresses this gap by defining governance structures, escalation pathways, and reporting requirements that connect every function to the enterprise risk framework. |
| Risk appetite and tolerance must be defined in the policy, not left to operational interpretation. The policy sets the enterprise-level appetite statement. Risk tolerance translates appetite into measurable boundaries for each risk category. KRI thresholds operationalize tolerance into real-time monitoring triggers. |
| A 90-day roadmap takes the organization from no formal policy to a board-approved risk management policy with governance structure, RACI matrix, and quarterly review cycle. |
Every enterprise risk management program starts with one document: the risk management policy.
This is the board-approved mandate that establishes why the organization manages risk, who is accountable for doing so, and what processes and governance structures will be used. Without a formal policy, risk management becomes an ad hoc collection of activities that vary by department, lack executive authority, and cannot be sustained when leadership changes.
ISO 31000:2018 explicitly requires a risk management policy as part of the framework design (Clause 5.2).
The COSO ERM framework positions governance and culture as the first component, which includes establishing risk management oversight, operating structures, and the desired risk culture.
Both standards converge on the same point: the policy is the governance foundation on which all risk activities are built.
The challenge is that most organizations either lack a formal risk management policy entirely, or have a generic one-page statement that provides no operational guidance. Only 26% of organizations have strong cross-functional collaboration on risk with a holistic view (KPMG, 2025).
This guide provides the 12 sections every risk management policy needs, a governance RACI matrix, sample policy language aligned to ISO 31000 and COSO ERM, and a 90-day rollout roadmap.
Risk Management Policy vs. Plan vs. Framework
Before building the policy, practitioners must understand where the policy sits in the governance hierarchy. Confusion between policy, plan, framework, and procedure causes duplication, gaps, and accountability failures. The table below clarifies each document’s role.
| Document | Purpose | Approved By | Reviewed | Standards Reference |
| Risk Management Policy | Defines why the organization manages risk, who is accountable, what principles guide the approach, and what authority levels apply. Sets the risk appetite. Mandates the governance structure. | Board of directors or governing body | Annually or when strategy changes | ISO 31000:2018 Clause 5.2. COSO ERM Principle 1 (Board Risk Oversight). |
| Risk Management Framework | Describes the structure for designing, implementing, monitoring, and continually improving risk management. Includes the policy, but also covers integration with organizational processes, leadership commitment, and resource allocation. | Board of directors or governing body | Annually | ISO 31000:2018 Clause 5 (Framework). COSO ERM Component 1 (Governance and Culture). |
| Risk Management Plan | Describes how the risk management process will be executed: specific activities, timelines, budgets, resources, tools, and methodologies. Translates the policy into operational action. | Senior management (CRO or executive committee) | Semi-annually or per project cycle | ISO 31000:2018 Clause 6.1 (Design). COSO ERM Principle 10 (Identifies Risk). |
| Risk Management Procedures | Step-by-step instructions for executing specific risk management activities (e.g., how to conduct a risk assessment, how to complete a risk register entry, how to escalate a risk breach). | CRO or Head of Risk Management | Annually or when processes change | ISO 31000:2018 Clause 6 (Process). IIA Standards (for audit-related procedures). |
| Risk Management Standards | Technical specifications for consistent execution (e.g., the organization’s 5×5 risk scoring matrix, likelihood and impact definitions, KRI threshold specifications). | CRO or Head of Risk Management | Annually | ISO 31000:2018 Clause 6.4 (Risk Assessment). IEC 31010 (Risk Assessment Techniques). |
The hierarchy flows from policy (highest authority, least detail) to procedures (lowest authority, most detail).
The policy states: “All risks scoring above the risk appetite threshold must be escalated to the risk committee within 48 hours.”
The procedure specifies: “Open the risk register in the GRC tool, change the status to ‘Breach,’ complete the escalation form (Appendix C), and email it to the Risk Committee Chair at [address].” Both documents are necessary. Neither replaces the other.
The 12 Sections of a Risk Management Policy
A complete risk management policy contains 12 sections that collectively define governance, process, accountability, and review. The table below provides the section name, purpose, and the key content each section must include.
| # | Section | Purpose | Key Content to Include |
| 1 | Purpose and Objectives | States why the policy exists and what outcomes the organization expects from risk management. | Link risk management to strategic objectives. State that the policy establishes the mandate, principles, and governance for managing risk across the enterprise. Reference ISO 31000:2018 and/or COSO ERM as the guiding standards. |
| 2 | Scope | Defines what the policy covers: which entities, risk categories, activities, and geographies are included. | All business units, subsidiaries, and joint ventures. All risk categories (strategic, operational, financial, compliance, cyber, ESG). All employees, contractors, and third parties acting on behalf of the organization. |
| 3 | Definitions | Provides a common risk vocabulary. Eliminates ambiguity in how terms are used across the organization. | Define: risk, risk management, risk appetite, risk tolerance, risk owner, inherent risk, residual risk, control, KRI, risk event, impact, likelihood, risk register, risk treatment. Use ISO 31000 definitions as the baseline. |
| 4 | Risk Management Principles | Articulates the principles that guide how the organization approaches risk. Sets behavioral expectations. | Align to ISO 31000’s eight principles: integrated, structured, customized, inclusive, dynamic, best available information, human and cultural factors, continual improvement. Add organization-specific principles where relevant. |
| 5 | Governance Structure | Defines the risk governance architecture: committees, reporting lines, and decision authority. | Board risk committee (or equivalent). Executive risk committee. CRO reporting line. Three lines model roles. Risk committee meeting frequency and quorum requirements. |
| 6 | Roles and Responsibilities | Assigns accountability for specific risk management activities using the RACI model. | Board: approve policy, approve risk appetite, oversee ERM. CRO: design and operate the framework. Business unit heads: own and manage risks. All staff: identify and report risks. Internal audit: provide independent assurance. |
| 7 | Risk Appetite and Tolerance | Defines how much risk the organization is willing to accept in pursuit of its objectives. | Enterprise-level risk appetite statement. Risk appetite by category (strategic, operational, financial, compliance). Tolerance thresholds for each category. KRI triggers that operationalize tolerance boundaries. |
| 8 | Risk Management Process | Describes the end-to-end process the organization follows to manage risk. | Six-step process aligned to ISO 31000: establish context, identify risks, analyze risks, evaluate risks, treat risks, monitor and review. Specify methods (workshops, RCSA, scenario analysis, Monte Carlo) and tools (risk register, GRC platform, dashboards). |
| 9 | Risk Categories | Defines the taxonomy of risks the organization faces. Provides a structured classification for the risk register. | Strategic risk. Operational risk. Financial risk. Compliance and regulatory risk. Cyber and technology risk. ESG and sustainability risk. People and culture risk. Third-party and supply chain risk. Add sector-specific categories as needed. |
| 10 | Reporting and Escalation | Defines what is reported, to whom, how often, and under what conditions immediate escalation is triggered. | Monthly operational risk reports to management. Quarterly board risk reports (heat map + narrative + decisions). Immediate escalation triggers (risk appetite breach, material loss event, regulatory finding, critical incident). Escalation pathway with timeframes. |
| 11 | Policy Review and Maintenance | Specifies how often the policy is reviewed and what triggers an interim review. | Annual review by the CRO. Board re-approval annually. Interim review triggered by: major organizational change, regulatory change, significant risk event, strategy change, M&A activity. |
| 12 | Related Documents | Lists the documents that support and extend the policy. | Risk management framework. Risk management plan. Risk appetite statement (if separate). Risk register template. Business continuity policy. Information security policy. Compliance policy. Internal audit charter. |
Governance Structure and RACI Matrix
Section 6 of the policy (Roles and Responsibilities) is where most organizations fail. Vague language like “management is responsible for risk” does not create accountability. The three lines model provides the governance architecture.
The RACI matrix below translates the model into specific accountability assignments for each major risk management activity.
Risk Management RACI Matrix
| Activity | Board | CRO / Risk Function | Business Unit Heads | All Staff | Compliance | Internal Audit | External Audit |
| Approve risk management policy | A | R | C | I | C | C | I |
| Approve risk appetite statement | A | R | C | I | C | C | I |
| Design the risk management framework | I | A/R | C | I | C | C | – |
| Identify and assess risks | I | C | A/R | R | C | C | – |
| Own and treat operational risks | I | C | A/R | R | C | I | – |
| Monitor KRIs and report breaches | I | A/R | R | R | R | I | – |
| Produce quarterly board risk report | A | R | C | I | C | I | – |
| Conduct risk management training | I | A/R | R | R | C | I | – |
| Perform RCSA (Risk Control Self-Assessment) | I | R | A/R | R | C | C | – |
| Provide independent assurance over ERM | A | C | C | I | C | A/R | – |
| Conduct external audit of risk disclosures | A | C | C | I | C | C | A/R |
| Review and update the policy annually | A | R | C | I | C | C | I |
Legend: A = Accountable (single owner, approves the output). R = Responsible (does the work). C = Consulted (provides input before the decision).
I = Informed (notified after the decision). The RACI matrix should be attached as an appendix to the risk management policy and referenced in the roles and responsibilities section.
Defining Risk Appetite and Tolerance in the Policy
The risk appetite statement is either embedded in Section 7 of the policy or published as a companion document that the policy references.
Either approach works, provided the board approves the appetite and the policy mandates compliance. The table below shows how appetite translates from enterprise level to operational thresholds.
| Risk Category | Enterprise Appetite (Board Level) | Tolerance Threshold (Management Level) | KRI Trigger (Operational Level) | Escalation Action |
| Strategic Risk | Moderate appetite for strategic growth risk. No appetite for risks that threaten organizational viability. | Maximum 15% deviation from strategic plan milestones before escalation. | Strategic initiative progress tracker: Amber at 10% deviation. Red at 15% deviation. | Amber: CRO reviews with business unit head. Red: Escalate to executive risk committee within 48 hours. |
| Operational Risk | Low appetite for operational failures that disrupt service delivery. Accept minor process inefficiencies. | Maximum $5M annual operational loss. Service uptime minimum 99.5%. | Monthly operational loss: Amber at $3M. Red at $5M. System uptime: Amber at 99.7%. Red at 99.5%. | Amber: Risk function investigates root cause. Red: Escalate to executive risk committee. Mandatory corrective action plan within 14 days. |
| Financial Risk | Low appetite for financial reporting errors. Zero appetite for fraud. | Maximum 2% variance in financial statement line items. Zero tolerance for fraud of any value. | Reconciliation exception rate: Amber at 1.5%. Red at 2%. Fraud incidents: Any confirmed fraud triggers immediate escalation. | Amber: CFO review. Red: Board audit committee notification within 24 hours. Fraud: Immediate investigation and board notification. |
| Compliance Risk | Zero appetite for material regulatory breaches. Low appetite for minor compliance deviations. | Zero material regulatory findings. Maximum 3 minor compliance findings per quarter. | Open regulatory findings: Amber at 2 minor findings. Red at 3+ or any material finding. | Amber: Compliance officer escalates to CRO. Red: Executive risk committee and board audit committee. |
| Cyber Risk | Low appetite for data breaches affecting customer data. Zero appetite for breaches involving regulated data. | Maximum 1 significant cyber incident per year (non-regulated data). Zero breaches of regulated data. | Failed penetration test findings: Amber at 3 critical. Red at 5+. Mean time to patch critical vulnerabilities: Amber at >7 days. Red at >14 days. | Amber: CISO escalates to CRO. Red: Executive risk committee. Regulated data breach: Board notification and regulatory reporting within 72 hours. |
| ESG / Sustainability Risk | Moderate appetite for transition risk. Zero appetite for environmental compliance violations. | Scope 1+2 emissions within 5% of annual target. Zero environmental regulatory penalties. | Emissions tracking: Amber at 3% above target. Red at 5% above target. Environmental incidents: Any reportable incident triggers escalation. | Amber: Sustainability team reviews with CRO. Red: Executive risk committee. Regulatory violation: Board notification. |
This cascade from appetite to tolerance to KRI thresholds ensures the policy’s intent is operationalized in daily monitoring. Without this cascade, the appetite statement becomes a theoretical document that has no effect on how the organization actually manages risk.
Aligning the Policy to ISO 31000 and COSO ERM
| Policy Section | ISO 31000:2018 Reference | COSO ERM 2017 Reference |
| 1. Purpose and Objectives | Clause 5.2: The policy should articulate the organization’s commitment to risk management and its purpose within the organization. | Principle 1: Exercises board risk oversight. Principle 3: Defines desired culture. |
| 2. Scope | Clause 5.2: The policy should define the scope and context of risk management activities. | Component 1: Governance and Culture applies to the entire entity. |
| 3. Definitions | Clause 3: Terms and Definitions provides the standard vocabulary (37 terms defined). | The ERM framework appendix defines key terms including risk appetite, risk capacity, and risk profile. |
| 4. Principles | Clause 4: Eight principles of risk management (integrated, structured, customized, inclusive, dynamic, best available information, human/cultural factors, continual improvement). | Principles 1-5 (Governance and Culture): Board oversight, operating structures, desired culture, core values, capable individuals. |
| 5. Governance Structure | Clause 5.4.1: Integration requires identifying accountability and authority for risk management. | Principle 2: Establishes operating structures. IIA Three Lines Model for governance architecture. |
| 6. Roles and Responsibilities | Clause 5.4.1: The framework should assign roles, authorities, responsibilities, and accountability. | Principle 2: Operating structures. Principle 5: Attracts, develops, and retains capable individuals. |
| 7. Risk Appetite and Tolerance | Clause 6.3.4: Risk evaluation criteria should be aligned with the organization’s objectives and context. | Principle 7: Defines risk appetite. Core concept connecting all five COSO ERM components. |
| 8. Risk Management Process | Clause 6: The six-step process (scope, context, criteria; risk assessment; risk treatment; recording and reporting; monitoring and review; communication and consultation). | Principles 10-14 (Performance): Identifies risk, assesses severity, prioritizes risks, implements risk responses, develops portfolio view. |
| 9. Risk Categories | Clause 6.4.2: Risk identification should consider sources of risk, areas of impact, events, their causes and potential consequences. | Principle 10: Identifies risk. The framework recognizes strategic, operational, reporting, and compliance risk categories. |
| 10. Reporting and Escalation | Clause 6.7: Recording and reporting. Clause 5.6: Communication and consultation. | Principles 18-20 (Information, Communication, and Reporting): Leverages information and technology. Communicates risk information. Reports on risk, culture, and performance. |
| 11. Policy Review | Clause 5.7: Continual improvement of the framework. | Principle 17: Pursues improvement in ERM. |
| 12. Related Documents | Clause 5: The framework component covers the broader set of risk management documents. | The ERM framework references the risk appetite statement, risk register, and board risk reports as key outputs. |
The Risk Management Process (Section 8 Detail)
Section 8 of the policy defines the risk management process. The policy should describe the process steps at a high level and reference the procedures that provide detailed instructions.
The table below maps the ISO 31000 process steps to the policy language and the tools used at each stage.
| Process Step | Policy Language (What to Include) | Tools and Methods | Output |
| 1. Scope, Context, and Criteria | The organization shall establish the external and internal context for risk management, define the scope of activities to be covered, and set the risk criteria (including risk appetite and tolerance) against which risks will be evaluated. | PESTEL analysis. Stakeholder mapping. Industry benchmarking. Regulatory scan. | Context document. Risk criteria definitions. Updated risk appetite thresholds. |
| 2. Risk Identification | The organization shall systematically identify risks that could affect the achievement of its strategic and operational objectives. Risk identification shall be inclusive, structured, and based on the best available information. | Risk workshops. RCSA (Risk Control Self-Assessment). Scenario analysis. Incident data review. Emerging risk scan. Bow-tie analysis. | Populated risk register with descriptions, causes, consequences, and current controls. |
| 3. Risk Analysis | The organization shall analyze each identified risk to understand its nature, sources, likelihood, and potential consequences, considering existing controls. | Qualitative: 5×5 likelihood-impact matrix. Quantitative: Monte Carlo simulation, sensitivity analysis, scenario modeling. Bow-tie with control effectiveness ratings. | Scored risk register (inherent and residual risk). Quantitative risk profiles for top-tier risks. |
| 4. Risk Evaluation | The organization shall compare risk analysis results against the risk criteria (appetite and tolerance) to determine which risks require treatment and their priority. | Risk appetite overlay on heat map. Prioritization matrix. Risk-reward analysis for strategic risks. | Prioritized risk list. Risks classified as: within appetite (accept/monitor), approaching tolerance (watch), above tolerance (treat immediately). |
| 5. Risk Treatment | The organization shall select and implement risk treatments that modify the likelihood or consequence of each risk, bringing residual risk within appetite. Treatment options include: avoid, reduce, share/transfer, or accept. | Treatment action plans. Cost-benefit analysis of treatment options. Insurance and hedging for risk transfer. Control design and implementation. | Treatment action plans with owners, budgets, timelines, and success criteria. Updated risk register with planned residual risk. |
| 6. Monitor, Review, and Report | The organization shall continuously monitor risks, controls, and treatment effectiveness. KRIs shall be tracked against thresholds. Risk reports shall be produced per the reporting schedule defined in Section 10. | KRI dashboards. Control testing schedules. Incident tracking. Quarterly risk reviews. Annual comprehensive risk assessment. | Monthly KRI reports. Quarterly management risk reports. Quarterly board risk reports. Annual risk assessment report. |
The process step descriptions above should appear in the policy at a summary level. Detailed instructions (how to facilitate a risk workshop, how to score a risk using the 5×5 matrix, how to complete the risk register) belong in the risk management procedures, which the policy references but does not replicate.
This separation ensures the policy remains stable (annual review cycle) while procedures can be updated more frequently as tools and methods evolve.
90-Day Implementation Roadmap
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Draft and Consult | Appoint a policy drafting team (CRO, legal, compliance, senior business unit representative). Review ISO 31000 Clause 5.2 and COSO ERM Principles 1-5. Draft the 12 policy sections. Define the risk appetite statement with the executive team. Build the RACI matrix. Consult with internal audit on governance structure. | First draft of the risk management policy (all 12 sections). Draft risk appetite statement. Draft RACI matrix. Stakeholder consultation log. | Draft policy completed. Risk appetite statement reviewed by executive team. RACI matrix aligned to organizational structure. At least 5 stakeholder consultations documented. |
| Days 31-60: Review and Refine | Circulate the draft to the executive risk committee for feedback. Incorporate legal review. Align reporting and escalation requirements with existing governance processes. Validate the risk appetite thresholds with finance (financial risk) and CISO (cyber risk). Test the RACI matrix against recent risk events to confirm accountability is clear. | Revised policy incorporating executive feedback. Legal sign-off. Validated risk appetite thresholds. RACI matrix tested and refined. Supporting procedures identified (to be developed post-policy approval). | Executive risk committee reviews and endorses the draft. Legal confirms compliance with regulatory requirements. Risk appetite thresholds validated with quantitative evidence. |
| Days 61-90: Approve and Launch | Present the policy to the board for approval. Publish the approved policy on the organization’s governance portal. Communicate the policy to all staff with a summary briefing. Launch mandatory risk management awareness training. Begin developing the detailed risk management procedures referenced in the policy. | Board-approved risk management policy. Board meeting minutes documenting approval. Staff communication (email/intranet announcement). Risk management awareness training launched. Procedure development plan and timeline. | Board approves the policy. Policy published and accessible to all staff. Training launched with target >80% completion within 60 days. Procedure development plan approved by CRO with milestones. |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Policy is a generic one-page statement with no operational content | Management treated the policy as a compliance checkbox rather than a governance document. Copied a template without customization. | Use the 12-section structure. Customize each section to the organization’s context, industry, and regulatory requirements. Reference specific standards (ISO 31000, COSO ERM) to demonstrate rigor. |
| Risk appetite is absent or stated in qualitative terms only | The board has not defined how much risk the organization is willing to accept, or the appetite is expressed as “moderate” without quantification. | Define appetite by risk category with quantified thresholds. Translate appetite to tolerance to KRI triggers. Include the cascade table in Section 7 of the policy. |
| RACI matrix is missing or uses vague “shared responsibility” language | Nobody is specifically accountable for any risk management activity. When a risk event occurs, there is confusion about who should act. | Build the RACI matrix with exactly one ‘A’ per activity. Present the matrix to the executive team and confirm each assignment. Attach it as an appendix to the policy. |
| Policy approved by the board but unknown to operational staff | The policy was presented to the board for approval but never communicated beyond the risk function. | Publish the policy on the governance portal. Issue a CEO communication. Launch mandatory awareness training. Reference the policy in onboarding materials. |
| Policy references a risk management process but no procedures exist | The policy says “risks shall be identified and assessed” but there are no step-by-step procedures telling staff how to do this. | Develop procedures for each process step within 90 days of policy approval. Include templates (risk register, RCSA form, escalation form). Train risk owners on the procedures. |
| Policy is never reviewed or updated | The policy was approved three years ago. The organization has undergone M&A, regulatory changes, and strategy shifts, but the policy reflects none of these. | Mandate annual review in Section 11. Define interim review triggers (M&A, regulatory change, significant risk event). Assign the CRO as the review owner with a board re-approval requirement. |
Looking Ahead: Risk Management Policy Trends 2025-2027
Risk management policies are expanding to cover three domains that were previously addressed in separate governance documents. AI governance is the first.
Organizations deploying AI models, from chatbots to credit scoring algorithms, need policy language that assigns accountability for model risk, data governance, bias monitoring, and shadow AI controls.
The EU AI Act and the NIST AI Risk Management Framework provide the regulatory backdrop that drives policy updates.
ESG risk governance is the second expansion area. Mandatory climate and sustainability disclosures under the ISSB standards, the EU Corporate Sustainability Reporting Directive (CSRD), and emerging SEC requirements mean that risk management policies must explicitly include ESG risk categories, define ESG-specific appetite thresholds, and mandate integrated ESG-financial risk reporting.
KRIs for ESG and sustainability are becoming standard additions to the policy’s monitoring and reporting sections.
Operational resilience is the third trend. Regulatory frameworks like the EU Digital Operational Resilience Act (DORA), the Bank of England’s operational resilience requirements, and APRA CPS 230 in Australia are pushing organizations to embed resilience outcomes into their risk management policies.
The policy must now define impact tolerances for important business services, require scenario testing, and mandate business continuity planning as an integral part of the risk management framework rather than a standalone program.
The organizations that update their risk management policies to incorporate these three domains will be better positioned to satisfy regulators, protect stakeholders, and manage the risks that define the next decade.
Ready to build your risk management policy? Visit riskpublishing.com to access risk management framework guides, risk appetite statement templates, and risk register templates. Need a tailored policy drafting engagement? Contact our consulting team to design an ISO 31000-aligned risk management policy that fits your governance structure and regulatory environment.
References
1. ISO 31000:2018 Risk Management Guidelines — International Organization for Standardization
2. COSO ERM: Integrating with Strategy and Performance (2017) — Committee of Sponsoring Organizations
3. ISO 31000 Risk Management Framework Guide — Protecht Group
4. ISO 31000 Framework Explained — MetricStream
5. ISO 31000 Risk Management Principles and Guidelines — PECB
6. The Basics of ISO 31000 Risk Management — Riskonnect
7. BSI ISO 31000 Risk Management Guidelines — British Standards Institution
8. ISO 31000 Standard: Risk Management — Risk Engineering (academic reference)
9. ISO 31000 Wikipedia Overview — Wikipedia (timeline and adoption data)
10. BPA Enterprise Risk Management Policy (2025) — Bonneville Power Administration
11. IIA Three Lines Model — Institute of Internal Auditors
12. The State of Enterprise Risk Management, 2025 — Forrester Research
13. 2025 KPMG Risk and Resilience Survey — KPMG International 14. What Is ISO 31000 Standard and Its Purpose? —
