Which of the following is the BEST course of action for the information security manager when residual risk is above the acceptable level of risk? 

Answer options:

A. Perform a cost-benefit analysis
B. Recommend additional controls
C. Carry out a risk assessment
D. Defer to business management

B