A risk management program would be expected to:
A.
remove all inherent risk.
B.
maintain residual risk at an acceptable level.
C.
implement preventive controls for every threat.
D.
reduce control risk to zero.
Explanation:
The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero.
I choose B