According to the CGEIT certification guide, the best method for determining an enterprise’s current appetite for risk is interviewing senior management. This is because senior management is responsible for setting the risk appetite and tolerance of the enterprise, and for balancing the security and business needs. The risk appetite reflects the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. Interviewing senior management can help to understand their perspectives, expectations, and preferences regarding risk taking1. The other options are less effective than option A, as they do not directly capture the senior management’s input or risk-based decision making. References := CGEIT certification guide, domain 3: Risk Optimization, section 3.1: Risk Governance, page 87.