The correct answer isA. By developing and communicating a clear policy that expresses the organization’s objectives and commitment to risk management. ISO 31000:2018 places strong emphasis onleadership and commitmentas a foundational element of the risk management framework. Top management and oversight bodies are expected to demonstrate commitment by establishing direction, ensuring alignment with organizational objectives, and visibly supporting risk management activities.
ISO 31000 explicitly states that leadership commitment should be demonstrated through actions such asissuing a risk management policy, allocating resources, assigning responsibilities, and ensuring integration of risk management into governance and decision-making. A clearly communicated policy provides a common understanding of the organization’s approach to risk, reinforces expectations, and promotes consistent behavior across all levels.
Option B is incorrect because ISO 31000 does not advocate avoiding documentation. While flexibility is important, formal documentation such as policies and frameworks is necessary to ensure clarity, consistency, and accountability. Option C is incorrect because reliance on external experts does not replace leadership responsibility; risk management accountability remains with the organization. Option D is also incorrect, as delegation without leadership involvement contradicts ISO 31000’s emphasis on top management responsibility.
From a PECB ISO 31000 Lead Risk Manager perspective, visible and documented commitment by leadership is essential for embedding risk management into organizational culture and operations. Therefore, option A is correct.
