After implementing controls, an organization reassesses a risk and finds that the residual risk level exceeds the established risk tolerance. What is the most appropriate next step?
This aligns with risk management process.
Why this answer
Option C is correct because the organization must decide to either accept (with authorization) or further treat the risk. Option A is wrong because ignoring is not acceptable. Option B is wrong because lowering tolerance without justification is not appropriate.
Option D is wrong because re-assessment alone does not resolve the issue.