is incorrect. Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk. As, Risk = Threat Vulnerabilityand Total risk = Threat Vulnerability Asset Value Residual risk can be calculated with the following formula: Residual Risk = Total Risk - Controls Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides. Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated. Answer: A is incorrect. Risk priority number is not an output for risk response but instead it is done before applying response. Hence it act as one of the inputs of risk response and is not the output of it.

is incorrect. For effective risk management, there should be continuous improvement,
not consistent. Because of the dynamic nature of risk, risk management is an iterative, perpetual
and ongoing process; that's why, continuous improvement is required.

is incorrect. It focuses on day-to-day operations, functions, and activities. It also ensures
that all the organization's objectives are being accomplished.