XYZ is a Risk Manager. Why would he want to utilize Entity Types and Entities? (Choose three.)

A. To monitor risk exposure
B. To remediate vulnerabilities
C. To perform risk assessments
D. To perform policy exceptions
E. To perform risk reporting

As per my understanding the answer would be A, C and E

B is related to Vulnerability management to incorrect and

D is related to Policy exception which nothing related to risk manager activity.

Is my understanding correct?