Which document outlines the organization’s approach to risk management?

A Risk Management Policy serves as a foundational document that articulates an organization's approach to managing risk. It outlines the principles, procedures, and responsibilities for identifying, assessing, managing, and mitigating risks. This policy is essential because it establishes a systematic approach to risk management, ensuring that risks are consistently evaluated and addressed across the organization.

In contrast, while a Security Control Framework describes the specific security measures an organization implements to protect its assets and manage risks, it does not provide the overarching strategy or approach that the risk management policy encompasses. A Risk Assessment Checklist is a tool used within the risk assessment process to identify and evaluate risks, but it does not define the organization's broader risk management philosophy. A Compliance Audit Report evaluates whether an organization adheres to regulatory requirements and standards; however, it is not focused on outlining the organization's proactive risk management strategies. Thus, the Risk Management Policy is the comprehensive document that encapsulates how risks are managed at an organizational level.