A large investment bank has just acquired a smaller regional competitor and is extending its best practices in the field of operational risk to the newly acquired company. As part of this process, management of the new subsidiary is reviewing which responsibilities should be assumed by the board of directors and which should be assumed by senior management. For which of the following should the board of directors be responsible?