All risk management activities are PRIMARILY designed to reduce impacts to:
A.
a level defined by the security manager.
B.
an acceptable level based on organizational risk tolerance.
C.
a minimum level consistent with regulatory requirements.
D.
the minimum level possible.
Explanation:
The aim of risk management is to reduce impacts to an acceptable level. “Acceptable” or
“reasonable” are relative terms that can vary based on environment and circumstances. A
minimum level that is consistent with regulatory requirements may not be consistent with business
objectives, and regulators typically do not assign risk levels. The minimum level possible may not
be aligned with business requirements.