Certified in Risk and Information Systems Control (CRISC) Practice Test

The aspect of management responsible for setting the organization's risk appetite is executive management. This level of management is tasked with overseeing the overall strategic direction of the organization, which includes making critical decisions regarding the level of risk that is acceptable in pursuit of its objectives.

Executive management considers various factors, such as the organization's goals, market conditions, regulatory requirements, and stakeholder expectations, to determine an appropriate risk appetite. This strategic decision is essential, as it guides the entire organization in its risk management efforts, influences policy development, and shapes the operational risk landscape.

Other management levels, such as middle management, first-line management, or project management, typically have roles focused on implementing strategies, managing teams, or overseeing specific projects. While they may provide input on risk management practices and help to communicate the established risk appetite throughout the organization, they do not set the risk appetite themselves.