Midway through the financial year, an unforeseen regulatory change forces the information security manager to fund an urgent data-protection project that was not in the approved budget. The annual security budget is already fully committed and the board has frozen requests for additional funds until the next cycle. Which action best reflects sound resource allocation in this situation?
- ADefer the regulatory project to the next budget cycle and formally document the resulting compliance exposure as an accepted risk.
- BRe-prioritise the existing portfolio and reallocate funds from lower-risk initiatives to the regulatory project after assessing the impact. Correct
- CReduce the scope of every active initiative by an equal percentage to free the funds the regulatory project needs.
- DFund the regulatory project from operational contingency without informing the board until the year-end budget review.
Why A is wrong: Tempting because it respects the funding freeze and uses formal risk acceptance, but accepting a known regulatory breach when reallocation is possible is poor stewardship and the manager rarely has authority to accept that level of risk alone.
Why B is correct: Correct because re-prioritising within the committed budget directs scarce resources to the highest-risk obligation while a documented impact assessment keeps the deferred work visible, which is disciplined resource management under constraint.
Why C is wrong: Tempting because spreading the cut feels even-handed, but uniform reductions ignore the relative risk of each initiative and can weaken high-value controls, which is the opposite of risk-based allocation.
Why D is wrong: Tempting because contingency exists for surprises, but quietly drawing it down and bypassing governance for a material regulatory matter breaches transparency and undermines the board's oversight of the budget.