A penetration test identifies a critical vulnerability in a customer-facing application, but exploitation would require downtime during peak business hours. The business requests delaying remediation until the next quarterly release. What should the security manager do FIRST? A. Accept the risk and document the delay as requested B. Perform a risk assessment and present impact analysis to business leadership C. Immediately remediate the vulnerability despite business objections D. Disable the affected application until remediation is complete