Question 9
Domain 1 — Governance and Risk Management FrameworksWho is ultimately responsible for risk governance in an organization?
Correct answer: B
Explanation
The Board of Directors is ultimately responsible for risk governance because it oversees the organization’s overall direction, accountability, and risk appetite. In governance frameworks, the board sets the tone at the top and ensures management identifies, monitors, and controls major risks.
Why each option is right or wrong
A. Chief Information Security Officer (CISO)
B. Board of Directors
Under the standard corporate governance framework, ultimate oversight of enterprise risk sits with the board under its fiduciary duty to direct and supervise the organization’s affairs; management may implement controls, but it does not own the final governance mandate. In practice, the board approves the risk appetite and monitors material exposures at the highest level, while committees and executives report upward rather than replace that authority.
C. Chief Risk Officer (CRO)
D. Internal Audit function