Outline a typical risk governance structure with board, risk committee, and management roles.

• A. The board sets risk policy and appetite; risk committee oversees framework; management implements controls and reports to the committee.
• B. The board handles daily risk decisions; risk committee approves budgets.
• C. Management sets policy; the board approves operational risk limits.
• D. The risk committee has no role in governance.

Answer: (A)

Risk governance rests on assigning clear roles across three levels: the board, the risk committee, and management. The board sets the direction by approving the risk policy and the risk appetite, establishing the boundaries within which risks are taken and ensuring alignment with the organization’s objectives. The risk committee provides independent oversight of the risk management framework, continuously monitoring risk exposures, reviewing risk reporting, and challenging management to ensure the framework remains effective and aligned with policy and appetite. Management is responsible for implementing controls, conducting risk assessments, operating day-to-day risk processes, and reporting risk information to the risk committee and the board so they can stay informed and take any necessary actions.

This separation of duties matters because it preserves accountability: the board approves the overarching stance on risk, the risk committee monitors and questions how that stance is applied, and management carries out the operational work within those boundaries. The other options blur responsibilities—for example, daily risk decisions being handled by the board, or management setting policy—leading to a lack of clear accountability and weaker risk governance.