After a risk has been mitigated, which of the following is the BEST way to help ensure residual risk remains within an organization`s established risk tolerance? 

Answer options:

A. Introduce new risk scenarios to test program effectiveness.
B. Monitor the security environment for changes in risk.
C. Conduct programs to promote user risk awareness.
D. Perform a business impact analysis (BIA).

A