Question 30
Domain 1 — Governance and Risk Management FrameworksWhich body is typically responsible for approving an organization's risk appetite statement?
Correct answer: C
Explanation
The Board of Directors typically approves the risk appetite statement because it sets the organization’s overall tolerance for risk and aligns it with strategic objectives. Governance frameworks assign the board responsibility for overseeing risk management and approving key risk policies, including the risk appetite statement.
Why each option is right or wrong
A. IT Department
B. Internal Audit
C. Board of Directors
Under standard corporate governance frameworks, approval of the risk appetite statement sits with the Board of Directors because it is a top-level governance document that defines the organization’s overall risk tolerance. For example, the UK Corporate Governance Code 2018, Provision 28, requires the board to establish the company’s purpose, values and strategy and to satisfy itself that the risk management and internal control systems are robust; similarly, the COSO ERM framework places oversight of risk appetite with the board or equivalent governing body. The board’s role is therefore to approve the statement, while management implements it within the approved limits.
D. External Auditors