Final answer:
Senior management is ultimately in charge of deciding how much residual risk there will be.
Step-by-step explanation:
The ultimate decision-making authority for determining the amount of residual risk lies with senior management. Senior management has the highest level of authority and is responsible for making strategic decisions that impact the organization as a whole, including decisions related to risk management.
The chief security officer (A) and security administrator (B) play important roles in implementing and managing security measures, but they do not have the final say in determining residual risk. These roles focus more on the operational aspects of security.
The disaster recovery plan coordinator (D) is responsible for developing and implementing a plan to recover from a disaster, but they do not have the authority to decide the amount of residual risk.