The main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B). This is because:
A project change management process is a set of procedures that defines how changes to the project scope, schedule, budget, quality, or resources are requested, evaluated, approved, implemented, and controlled12.
A project change management process helps to ensure that the changes are aligned with the project objectives, stakeholders' expectations, and business needs12.
Adding a new system functionality during the development phase without following a project change management process can introduce risks such as:
The added functionality has not been documented (option A), which can lead to confusion, inconsistency, errors, and rework3.
The project may fail to meet the established deadline (option C), which can result in delays, penalties, and customer dissatisfaction3.
The project may go over budget (option D), which can cause cost overruns, financial losses, and reduced profitability3.
However, the main risk is that the new functionality may not meet requirements (option B), which can have serious consequences such as:
The new functionality may not be compatible with the existing system or other components3.
The new functionality may not be tested or verified for quality, performance, security, or usability3.
The new functionality may not deliver the expected value or benefits to the users or customers3.
The new functionality may not comply with the regulatory or contractual obligations3.
The new functionality may cause dissatisfaction, complaints, or litigation from the stakeholders3.
Therefore, the main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B), as this can jeopardize the success and acceptance of the project.
References: 1: How to Make a Change Management Plan (Templates Included) - ProjectManager 2: What Is Change Management? Process & Models Explained - ProjectManager 3: 8 Steps for an Effective Change Management Process - Smartsheet

The best way to help management understand the associated risk of missing backup cycles due to operator error and lack of exception management is to explain the impact to disaster recovery. Disaster recovery is the process of restoring normal operations and functions after a disruptive event, such as a natural disaster, a cyberattack, or a hardware failure. Backup cycles are essential for disaster recovery, because they ensure that the organization has copies of its critical data and systems that can be restored in case of data loss or corruption. If backup cycles are missed due to operator error, and these exceptions are not managed, the organization may not have the latest or complete backups available for disaster recovery, which can result in prolonged downtime, reduced productivity, lost revenue, reputational damage, and legal or regulatory penalties. The other options are not as effective as explaining the impact to disaster recovery, because they either do not address the risk of data loss or corruption, or they focus on operational or technical aspects rather than business outcomes. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1

The greatest concern to an IS auditor reviewing an organization's method to transport sensitive data between offices is that the method relies exclusively on the use of asymmetric encryption algorithms. Asymmetric encryption algorithms, also known as public key encryption, use two different keys for encryption and decryption: a public key that is shared with anyone who wants to communicate with the sender, and a private key that is kept secret by the sender. Asymmetric encryption algorithms are more secure than symmetric encryption algorithms, which use the same key for both encryption and decryption, but they are also slower and more computationally intensive. Therefore, relying exclusively on asymmetric encryption algorithms may not be efficient or practical for transporting large amounts of sensitive data between offices. A better method would be to use a combination of symmetric and asymmetric encryption algorithms, such as using asymmetric encryption to exchange a symmetric key and then using symmetric encryption to encrypt and decrypt the data.
The other options are not as concerning as option C. The method relying exclusively on the use of public key infrastructure (PKI) is not a concern, because PKI is a system that provides the services and mechanisms for creating, managing, distributing, using, storing, and revoking digital certificates that are based on asymmetric encryption algorithms. PKI enables secure and authenticated communication between parties who do not have a prior trust relationship. The method relying exclusively on the use of digital signatures is not a concern, because digital signatures are a way of verifying the authenticity and integrity of a message or document by using asymmetric encryption algorithms. Digital signatures ensure that the sender cannot deny sending the message or document, and that the receiver can detect any tampering or alteration of the message or document. The method relying exclusively on the use of 128-bit encryption is not a concern, because 128-bit encryption is a level of encryption that uses a 128-bit key to encrypt and decrypt data. 128-bit encryption is considered to be strong enough to resist brute-force attacks by modern computers. References: Asymmetric vs Symmetric Encryption: What are differences?, Public Key Infrastructure (PKI), Digital Signature, What is
128-bit Encryption?