Which option correctly lists the three tiers in Organizational Wide Risk Management?

Organizational Wide Risk Management is understood through a three-tier structure that spans governance down to the technical operating environment. At the top tier, Organization (Governance) sets the strategic direction, risk appetite, policies, and oversight to ensure the entire program aligns with mission goals. The middle tier, Mission/Business Process (Information and Information Flow), translates governance into actual operations, focusing on how missions and core processes manage risk and how information moves through the organization. The bottom tier, Information System (Environment of Operation), concentrates on the security of the systems themselves and their operating context, including the technical controls and system lifecycle. This mapping matches the described option: Organization (Governance); Mission/Business Process (Information and Information Flow); Information System (Environment of Operation). The other breakdowns don’t capture this three-layer perspective in the same way, either mixing in other domains or using different labels that don’t align with how risk management is structured across governance, process, and system levels.