Which of the following is the MOST important factor to consider when establishing a severity hierarchy for information security incidents?

A. Regulatory compliance
B. Business impact
C. Management support
D. Residual risk