 Role of the Board and Executive Management:

The board of directors and executive management are responsible for setting the overall strategic direction of the organization, including its risk tolerance.

They have the authority and oversight necessary to define the levels of risk that the organization is willing to accept in pursuit of its objectives.

 Defining Risk Tolerance:

Risk tolerance refers to the acceptable level of variation in performance relative to the achievement of objectives. It is essentially the degree of risk the organization is willing to endure.

The board and executive management establish risk tolerance based on the organization ' s strategic goals, capacity to absorb losses, and regulatory requirements.

 Importance of Senior Leadership:

Senior leadership ' s involvement ensures that risk tolerance is aligned with the organization ' s overall strategy and risk appetite.

It provides a top-down approach to risk management, ensuring consistency and alignment across the organization.

 Comparing Other Stakeholders:

IT Compliance and IT Audit:These functions are responsible for monitoring and ensuring adherence to policies but do not set risk tolerance.

Regulators and Shareholders:They influence risk management practices through external pressures but do not define risk tolerance directly.

Enterprise Risk Management (ERM):ERM frameworks support the implementation of risk management but the actual definition of risk tolerance comes from the board and executive management.

 References:

The CRISC Review Manual discusses how senior management, including the board, is responsible for defining risk tolerance and ensuring it aligns with the organization ' s risk appetite (CRISC Review Manual, Chapter 1: Governance, Section 1.10 Risk Appetite, Tolerance, and Capacity) .