When conducting a risk assessment in support of a new regulatory requirement, the IT risk committee should FIRST consider the: 

Answer options:

A. cost burden to achieve compliance.
B. disruption to normal business operations.
C. readiness of IT systems to address the risk.
D. risk profile of the enterprise.

D