Which domain addresses risk appetite and third-party risk?

Understanding risk governance and how risks are managed helps explain where risk appetite and third-party risk fit. The domain that handles the processes for identifying, assessing, responding to, and monitoring risks across the organization—including risks from external vendors and third parties—is risk management. This domain oversees the enterprise risk management framework, which includes defining the risk appetite (the level of risk the organization is willing to accept) and using that appetite to set thresholds and guide risk assessment, prioritization, and response. Third-party risk is a core component of this framework because vendors and external partners can introduce significant cyber and operational risk, so the risk management domain ensures due diligence, ongoing monitoring, contractual controls, and alignment with the organization’s risk appetite. While governance sets the overarching framework, policies, and oversight, the day-to-day management and assessment of risk—especially third-party risk and how risk appetite translates into actions—lie within the risk management domain. The option referring to the auditor’s role isn’t a formal domain, and “none of the above” isn’t accurate given how risk management explicitly covers these areas.