Which of the following should an information security manager perform FIRST when an organization`s residual risk has increased? 

Answer options:

A. Implement security measures to reduce the risk.
B. Communicate the information to senior management.
C. Transfer the risk to third parties.
D. Assess the business impact.

D