What was the risk percentage for the main company application after implementing necessary controls?

Residual risk after implementing controls is the remaining risk that the organization accepts for the main company application once safeguards are in place. When you deploy controls, you reduce either the likelihood of a threat succeeding, the impact if it does, or both. The percentage shown—10%—represents how much risk still exists after those controls are applied. A low residual risk like 10% indicates the controls are highly effective and bring risk down to a level that is typically acceptable given the organization’s risk tolerance. The other options (40%, 60%, 20%) would mean more risk remains after applying controls, suggesting less effective or incomplete coverage. So, the best fit is the lowest residual risk value, showing strong risk reduction. If you’re studying, keep in mind to compare residual risk to the organization’s risk appetite and plan for any additional mitigations if needed.