Watch this video on YouTube
What is the best course of action for an information security manager when the residual risk exceeds the acceptable level?