It is generally considered a good idea to document an organisation’s attitude and commitment to risk management in a high-level document, such as a Risk Management Policy. The policy may describe the general attitude of the company towards risks, risk management principles, roles and responsibilities, risk management infrastructure as well as resources and processes dedicated to risk management. Section 5.2.1 of the ISO31000:2018 also provides guidance on risk management policy.

An article published by Michael Rasmussen back in October 2010 ‘Enterprise Risk Management Policy Structure’ provides an outline of what should be included in a risk management policy and notes that the organisation’s policy should not be “boilerplate.” The policy should reflect the actual activities undertaken by the company and its attitude and approach to managing its material business risks.

Risk management is useful document to communicate with external stakeholders such as banks, investors, auditors, regulators, key customers and suppliers.