Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, stresses the importance of clear roles and responsibilities for effective IT risk management. Establishing roles and responsibilities at the senior management level ensures accountability, strategic oversight, and integration of risk management into decision-making. For example, a chief risk officer might oversee IT risk policies. The manual likely references COBIT 2019’s EDM03-Ensured Risk Optimization, which emphasizes senior-level accountability.

Option A: Audit committee oversees compliance, not direct risk management.

Option C: Outsourcing low risks is tactical and doesn’t address overall risk management.

Option D: Project sponsor and manager are project-specific, not enterprise-wide.

Double Verification: The answer aligns with COBIT’s EDM03 and the CGEIT domain’s focus on risk governance. Senior-level roles are critical in ISACA’s risk management framework.

ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on risk governance).

COBIT 2019, EDM03-Ensured Risk Optimization.

ISACA Glossary (for definitions of risk management roles), available at https://www.isaca.org/resources/glossary.