When preventive controls to appropriately mitigate risk are not feasible, which of the following is the MOST important action for the information security manager to perform?

A. Identity unacceptable risk levels
B. Manage the impact
C. Evaluate potential threats
D. Assess vulnerabilities