After a risk assessment, a company identifies that the residual risk for a critical application is higher than the risk appetite. The risk owner proposes implementing additional controls to reduce the risk further. Which risk treatment option does this represent?
Correct: adding controls to reduce risk.
Why this answer
Implementing additional controls to reduce risk is an example of risk mitigation. Residual risk is the risk remaining after controls are applied; if it still exceeds appetite, further mitigation is needed.