Which of the following is necessary for the effective risk management in IT governance?

A. Risk evaluation is embedded in management processes
B. Risk management strategy is approved by the audit committee
C. Local managers are solely responsible for risk evaluation
D. IT risk management is separate from corporate risk management