Watch this video on YouTube
After assessing and mitigating risks in a web application, who should decide on the acceptance of residual application risks?