What should be documented when a risk is accepted in the business continuity planning process?

When a risk is accepted in the business continuity planning process, it is essential to document the decision-making process. This includes the rationale behind accepting the risk, any considerations or analyses that were conducted, and the potential implications of that acceptance. Documenting the decision-making process ensures transparency and provides a reference for future evaluations or audits.

Recording the decision-making reflects due diligence and helps stakeholders understand why certain risks were viewed as acceptable based on the organization's risk tolerance. This is particularly important for maintaining compliance and for informing future planning and response strategies, as well as for accountability within the organization.

The other options, while related to risk management, do not directly address what should be documented specifically when a risk is accepted. Implementation of new security controls or creating a disaster recovery plan would be actions taken to mitigate risk, while conducting a business impact assessment is a precursor to identifying risks rather than an outcome of accepting them.