In relation to Business Continuity (BC), risk mitigation should focus on:

BC risk mitigation is prioritised so that effort and investment reduce risk where it matters most—i.e., where risk exceeds the organization’s tolerance. In the BCI approach, the Risk Assessment is used to analyse relevant risks to prioritised activities and identify concentrations of risk or points of failure. Those findings then inform Solutions Design decisions, where mitigations are selected to reduce exposure so recovery requirements can be met. If a risk is already acceptable, it may be monitored but does not necessarily require mitigation, because resources should be directed to the risks that threaten priority delivery and could prevent meeting targets like RTO and minimum acceptable capacity.

Option B (“all threats”) is unrealistic and not risk-based; it spreads resources too thin and often results in controls that don’t materially improve resilience. Option D (“selected risks”) is too vague unless “selected” is defined by a risk evaluation step; the correct focus is specifically unacceptable risk—risks that, if realised, would create impacts beyond what the organization will tolerate. Therefore, the best answer is C.