Who is ultimately responsible for establishing the level of acceptable risk within an organization?

The ultimate responsibility for establishing the level of acceptable risk within an organization lies with senior business management. This is because senior management is tasked with setting the overall strategic direction and risk tolerance of the organization. They must consider the organization’s objectives, legal and regulatory requirements, and stakeholder expectations when determining what level of risk is acceptable.

While other roles, such as the chief information officer (CIO) or the chief security officer (CSO), play critical parts in managing and mitigating risks related to information security, their responsibilities are more focused on implementation and execution based on the framework and guidelines established by senior management. Quality assurance management typically addresses quality control and process improvements and does not hold primary responsibility for risk management decisions.

Senior management's involvement is vital in ensuring that the risk level aligns with the organization's mission and strategic goals, making them the key decision-makers in this domain.