The correct answer isB. A risk management policy should clearly define the organization’s risk appetite. ISO 31000:2018 states that the risk management policy is a key document through which top management expresses its commitment, direction, and expectations regarding risk management. One of the essential elements of this policy is a clear articulation of theorganization’s risk appetite, which defines the type and level of risk the organization is willing to accept in pursuit of its objectives.
Defining risk appetite within the policy supports consistent decision-making, aligns risk-taking with strategic objectives, and guides managers and employees in managing uncertainty. ISO 31000 emphasizes that risk management should be integrated into governance and strategy, and a clearly defined risk appetite ensures this alignment across all levels of the organization.
Option A is incorrect because ISO 31000 explicitly encourages alignment between the risk management policy and other internal policies, such as strategy, quality, sustainability, and compliance policies. Option C is incorrect because ISO 31000 requires the risk management framework and its components, including the policy, to becontinually improvedand reviewed regularly, not only when the internal context changes. Option D is incorrect because the policy is a foundational element that guides the entire risk management process, including risk identification.
From a PECB ISO 31000 Lead Risk Manager perspective, a well-defined risk management policy with a clear risk appetite is essential for effective and consistent risk management. Therefore, option B is correct.
