Which TWO of the following are valid risk response options?
Implementing controls to reduce risk.
Why this answer
Options A and B are correct because risk mitigation (reduce) and risk acceptance are standard responses. Options C and D are wrong because risk amplification and risk neutralization are not standard terms. Option E is wrong because risk retention is a form of acceptance but the term is less common; however, many frameworks use retention as a synonym for acceptance, but the question expects 'acceptance' and 'mitigation' as clear options.
We'll correct: Actually retention is sometimes used as acceptance, but to avoid confusion, we'll stick with mitigation and acceptance as clearly correct. So E is not a standard term in COBIT/ISO 31000.