The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The
documentation shows that a single 24 hours downtime in a critical business function will cost the
business $2.3 million. Additionally, the business unit which depends on the critical business
function has determined that there is a high probability that a threat will materialize based on
historical data. The CIO’s budget does not allow for full system hardware replacement in case of a
catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which
of the following should the CIO recommend to the finance director to minimize financial loss?
A.
The company should mitigate the risk.
B.
The company should transfer the risk.
C.
The company should avoid the risk.
D.
The company should accept the risk.