An organization’s risk management strategy is a governance-level artifact that sets direction for how risk is managed across the enterprise. A core requirement in cybersecurity governance frameworks is clear accountability, including executive ownership for risk decisions that affect the whole organization. Assigning an executive responsible for risk management establishes authority to set risk appetite and tolerance, coordinate risk activities across business units, resolve conflicts between competing priorities, and ensure risk decisions are made consistently rather than in isolated silos. This executive role also supports oversight of risk reporting to senior leadership, ensures resources are allocated to address material risks, and drives integration between cybersecurity, privacy, compliance, and operational resilience programs. Without an accountable executive function, risk management often becomes fragmented, with inconsistent scoring, uneven control implementation, and unclear decision rights for accepting or treating risk.
Option A can be part of a strategy, but the question asks what should be addressed, and the most critical foundational element is enterprise accountability and governance. Option B is too granular for a strategy; selecting controls for each IT asset belongs in security architecture, control baselines, and system-level risk assessments. Option C is typically handled in incident response and breach management plans and procedures, which are operational documents derived from strategy but not the strategy itself. Therefore, the best answer is the assignment of an executive responsible for risk management across the organization.
blob:https://chatgpt.com/af9ae31e-1548-4f92-9dac-5758ab0a9a66
