The correct answer isAbecausesenior managementis the most appropriate role to determinerisk appetite and tolerance. These are enterprise-level governance decisions that guide how much risk the organization is willing to accept in pursuit of its objectives. Senior management sets and approves these boundaries in alignment with business strategy.
The other options are less appropriate:
B. Internal auditorprovides independent assurance and does not determine appetite or tolerance.
C. Risk ownermanages specific risks within the defined appetite and tolerance, but does not set enterprise-wide limits.
D. Business process ownerowns risk within a process, but enterprise appetite and tolerance are set at senior management level.
Exact Extracts supporting the answer:
“Senior management is responsible for approving an enterprise’s risk appetite and tolerance related to information security.”
“Management culture and predisposition toward risk taking are most important when considering the risk appetite of an enterprise.”
“Risk tolerance is the permissible deviation from declared risk appetite levels in an enterprise.”
“The board of directors is accountable for overall enterprise strategy for risk governance.”
These extracts directly support thatsenior managementis the most appropriate role to determine risk appetite and tolerance.
===========
