Which committee is best suited to determine an enterprise's risk appetite?

The steering committee is ideally positioned to determine an enterprise's risk appetite because it typically comprises senior management and stakeholders who have a comprehensive understanding of the organization's objectives, resources, and strategic direction. This committee is responsible for aligning projects and initiatives with the overall goals of the organization.

By involving various functions and perspectives, the steering committee can evaluate the risks associated with potential business decisions and their alignment with the organization's risk tolerance. They consider factors such as the business environment, stakeholder expectations, and regulatory requirements, which are critical to defining acceptable risk levels.

In contrast, the other options tend to have more specific functions:

• The chief legal officer focuses on legal compliance and risk associated with legal liabilities rather than the broader strategic perspective.

• Security management is primarily concerned with protecting information assets and may not have the holistic view needed to assess the enterprise risk appetite fully.

• The audit committee's main focus is on oversight of the financial reporting process and internal controls, which, while important, does not encompass the broad risk strategies associated with overall risk appetite.

The steering committee's strategic role and its collaborative nature make it the most suitable body for determining the organization's risk appetite.