Which element best describes a formal risk oversight framework?

A formal risk oversight framework is a structured, documented approach to govern risk across the organization. It starts with a defined risk policy that articulates risk appetite and tolerances and assigns accountability for risk management. It then establishes clear responsibilities—who owns each risk, who implements controls, and who supervises them. Ongoing monitoring follows, using tools like a risk register and key risk indicators to track changes in risk, with regular assessments. Finally, it requires formal reporting to the board or a risk committee, including escalation procedures for material risks. This combination creates accountability, consistency, and transparency in how risk is identified, mitigated, and reviewed over time. The other options describe less formal or incomplete arrangements: informal discussions at annual meetings lack sustained governance and accountability; excluding the board or its committees from risk matters removes essential oversight; and placing risk solely on external auditors abdicates management and board responsibility, which doesn't align with fiduciary duties. Therefore, a defined policy with assigned responsibilities, monitoring, and reporting best captures a formal risk oversight framework.