The board of directors’ response to identified risk factors is the best indicator of the risk appetite of an organization. The board of directors is the highest governing body of the organization, and it is responsible for setting the strategic direction, objectives, and risk appetite of the organization. The board of directors should also oversee the risk management process, and ensure that the risks are aligned with the organization’s goals and values. The board of directors’ response to identified risk factors reflects how much and what type of risk the organization is willing to pursue, retain, or take in order to achieve its objectives. The regulatory environment, the risk management capability, and the importance assigned to IT are not direct indicators of the risk appetite, although they may influence or constrain it. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.2.1, page 1-8.