An IT risk practitioner ' s report includes a treatment plan and projected risk ratings...

The correct answer isCbecause once corrective actions are implemented, the remaining projected risk becomesresidual risk. Residual risk is the exposure that remains after controls or treatment actions have been applied.

The other options are incorrect:

A. Controlis not a type of risk in this context.

B. Inherentrisk exists before controls are implemented.

D. Compliancerisk is a category of risk, not the remaining level after treatment.

Exact Extracts supporting the answer:

“Residual risk is best reflected as risk remaining after the implementation of new or enhanced controls.”

“The primary objective of a risk management program is to maintain residual risk at an acceptable level.”

“Acceptable risk for an enterprise is achieved when residual risk is within tolerance levels.”

“The risk most likely to be reduced to achieve acceptable risk is residual risk.”

These extracts directly show that once corrective actions are taken, the projected remaining risk isresidual risk.

===========