Audit Committee has the responsiblity in my opinion... you can take it to the full board, but if AC is done right it can be a "buck stopper"
I would simply word it that open item/finding XYZ issued by federal regulator or auditor has been discussed. The bank management described the risk and AC feels that the risk of XYZ is at a level acceptable to smooth continued operation of the organization.
I would also make sure to develop a REVIEW mechanism for this as risk tolerances and risks themselves change depending on the issue... so make sure that AC circles back every 6 months to reveiw all "accepted risks"
Just my opinion.
Cheers!
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.
MBA Fin/MBS HR
My views only!