Primary Ongoing Responsibility of IT Governance: Risk Management

C.

The correct answer is D. Ensuring IT risk management is aligned with business risk appetite.

Explanation: The IT governance function has the primary responsibility to ensure that IT risk management is aligned with business risk appetite. IT risk management is a critical component of an organization's overall risk management framework. The IT governance function must ensure that IT risk management activities are integrated with the organization's risk management policies, procedures, and frameworks.

Option A, responding to and controlling all IT risk events, is not the primary responsibility of the IT governance function related to risk. While the IT governance function may play a role in responding to IT risk events, the primary responsibility for responding to IT risk events lies with the organization's incident response team.

Option B, verifying that all business units have staff skilled at assessing risk, is also not the primary responsibility of the IT governance function related to risk. While the IT governance function may play a role in assessing the skills of staff in business units, the primary responsibility for ensuring that business units have staff skilled at assessing risk lies with the individual business units.

Option C, communicating the enterprise risk management plan, is an important responsibility of the IT governance function, but it is not the primary ongoing responsibility related to risk. Communication of the enterprise risk management plan is an important activity that helps ensure that all stakeholders are aware of the organization's approach to risk management, but it is not the primary responsibility of the IT governance function related to risk.

In summary, the primary ongoing responsibility of the IT governance function related to risk is to ensure that IT risk management is aligned with business risk appetite.