Strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions.
Sources:
NIST SP 800-160 Vol. 2 Rev. 1
from
NIST SP 800-39