During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application. The application owner did not approve the patch installation to avoid interrupting the application. Which of the following should be the information security manager`s FIRST course of action? 

Answer options:

A. Escalate the risk to senior management.
B. Communicate the potential impact to the application owner.
C. Report the risk to the information security steering committee.
D. Determine mitigation options with IT management.

D