It is the responsibility of management to determine the level of risk an organization is willing to tolerate. Management sets the strategic direction and risk appetite of the organization based on its goals, resources, and external environment. Other departments like Legal, Operations, and Safety may provide input and support, but ultimately, it is management that makes the final decision regarding risk tolerance.