Risk treatment decisions are driven by two factors: whether the residual risk falls within or outside tolerance, and the criticality of the affected function. When both conditions—risk within tolerance AND non-critical function impact—are met, formal risk acceptance is the appropriate and proportionate treatment.
Why A is Correct: According to ISACA AAIR risk treatment guidance, documented formal risk acceptance is the appropriate response when residual risk is within defined tolerance for non-critical functions. Risk acceptance acknowledges the identified exposure, documents the organization's conscious decision to accept it, and establishes accountability for that decision. This proportionate response avoids over-investing in controls for risk that the organization has determined is acceptable.
Why B is Wrong: Recommending increases to tolerance thresholds is a governance manipulation rather than a risk treatment. Adjusting thresholds upward to accommodate risk does not address the risk; it merely reclassifies it as acceptable. This approach undermines risk governance integrity.
Why C is Wrong: Enhancing monitoring to detect deviations represents additional control investment that may be disproportionate for risk that is already within tolerance affecting non-critical functions. Enhanced monitoring is more appropriate when risk is near the tolerance boundary or when trends indicate potential future breach.
Why D is Wrong: Periodic vulnerability scanning is a security assurance activity that identifies technical weaknesses. It represents an ongoing control measure rather than the appropriate risk treatment decision for a residual risk that is already within tolerance.
