Which activity focuses on setting acceptable levels of risk for operational processes?

Risk management involves setting acceptable levels of risk for operational processes. It starts by identifying what could go wrong in day-to-day operations, assessing how likely each risk is and the potential impact, and then determining how much risk is tolerable. This leads to deciding which controls to implement, which mitigations to accept, and how to monitor risk over time so operations stay within an agreed risk appetite. The goal is to balance protection with practicality, ensuring resources are focused on the most significant threats while keeping processes functional and efficient. Change management deals with planning and implementing changes to processes or systems; data governance focuses on policies and standards for data quality, stewardship, and access; incident handling covers how to respond and recover after a security incident. So, the activity that concentrates on defining acceptable risk levels for operations is risk management.