【正文】 orting services entities—Linking with process and technology entities allows for a plete endtoend risk and control assessment for that supporting service, ., interfacing risks amongst technology entities, servicelevel risks for endtoend IT service, and integration risks (the management of handoffs between departments). Control objectives with reference to the COBIT controls process Actions to make the control effective Control owners—The owners responsible for maintaining control effectiveness Tailoring the training delivered by the risk experts to the audience. For entity owners, a simple process overview was provided through mandatory puterbased training. For risk and control owners, training was detailed and included examples and tests, and it was delivered through classrooms at different locations or through webbased training sessions. Modifying the role description and performance evaluation process to include specific tasks for risks and controlsBenefit of Step 4Due to this topdown approach, the importance of risk management was well accepted and it was effective at all levels of the organisation.Step 5—Using a Reporting ToolA simple spreadsheet was used for maintaining a risk and control repository for each entity. Within the entity, the risk team member used an Excel spreadsheet for tracking risks, actions, etc. However, there was a requirement to have a single, mon database repository for maintaining organisationwide risks and controls. Hence, a tool was developed to gather information for all entities. This helped in: Tracking closure of actions Earlier, there were more than 1,000 controls defined. The number was reduced as each control was mapped to the COBIT framework. At the global level, the number of controls was reduced to almost 350. However, within a particular entity, region, country, etc., further drilling down of a control was allowed for tracking locally. For example, globally, in the RCA, a single control was identified for local pliances: A mon training pack was seen as an important and valuable deliverable by the risk team and was defined based on the audience. For example, a training pack of 15 minutes for all entity owners (typically centre heads in each country or region) was developed and implemented using the elearning portal, whereas a detailed process training pack was developed for risk and control owners.Jitendra Barve, CISA, FCAis a certified accountant with more than 18 years of experience in accounting, finance, audit and consulting. He has spent more than 10 years in information security audits and consulting and has worked on various assignments on risk management, riskbased internal audits, and information security reviews and audits. Barve is a board member of the ISACA Pune Chapter (India). He is associated with a midsized CA firm from Pune, . Apte and Co.Editor’s NoteReaders may wish to note that ISACA’s Risk IT framework expands on the areas covered in this article and supports enterprises in identifying, governing and managing ITrelated business risks, plementing the control (risk mitigation) guidance provided in COBIT. Click here for more information on Risk IT.9 / 9