Work with the board to define the enterprise’s appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. Embed risk management responsibilities into the organization, ensuring that the business and IT regularly assess and report IT-related risks and their impact and that the enterprise’s IT risk position is transparent to all stakeholders.

There are no PSGs published for this topic; however, the topic is under review for future PSGs