The word “policy” only appears in ISO 14971 seven times, but the last occurrence provides the best explanation: In fact, there is not even a specific cause of the international risk management standard that is specific to the requirement for a risk management policy. There is no guidance for a risk management policy in either of the European device regulations for CE Marking and there is no guidance in the US FDA’s regulations. Both of these words begin with the letter “p,” but they are not the same. The word procedure is defined (Clause 3.13), a “specified way to carry out an activity or a process,” but there is no definition for policy. ISO 14971:2019 includes a requirement for a risk management policy and a risk management procedure.
Your risk management procedure is not your risk management policy ISO 14971:2019 includes a requirement for top management to define and document a risk management policy, but do you have one?