Microsoft Enterprise Risk Management (ERM)

  • 2 minutes

Microsoft Enterprise Risk Management (ERM) identifies the most significant risks for Microsoft and provides a consistent risk management approach across the organization. ERM includes a formal risk management methodology, which includes defined roles and responsibilities, provides continuous input, and supports timely decisions to mitigate risks. Highly visible senior leadership support and involvement ensure accountability and underscore Microsoft's commitment to managing enterprise risks effectively.

A pyramid diagram showing the foundation of Microsoft Risk Management -from the top starting with board of directors, senior leadership, enterprise risk. The line below is risk domains and operational domains and the bottom of triangle is foundational elements which consist of listening systems, methodology, and tools

ERM performs a semi-annual Enterprise Risk Assessment to evaluate risk across Microsoft. These assessments have two audience levels: senior leadership (CEO and direct reports) and the Audit Committee of the Board. ERM assessments utilize inputs from discussions with domain leaders across the company and senior leaders within each organization. Key inputs for the assessment include interviews at various levels across Microsoft, from subject matters experts (SMEs) in each risk domain and operational risk area all the way up to senior leadership. The ERM process combines the insights of risk domain owners with the insights gained from leaders and SMEs in each operational risk area. It also includes feedback from the foundational elements of our risk management process, such as listening systems that monitor for risk indicators and tools that provide visibility into the operation of Microsoft systems and processes.

The ERM risk assessment process identifies company opportunities, aspirations, and commitments, along with the most significant risks to Microsoft's objectives. This analysis includes an assessment of the operating environment, including internal risk assessments from business units and external factors such as competition and the regulatory landscape. The Enterprise Risk Assessment also considers historic data such as previous audits and assessments. Additionally, Microsoft applies knowledge and feedback from industry groups, forums, and peer reviews to develop a broad picture of the external risk environment.

The risk assessment process includes discussion with key stakeholders across the entire organization. These stakeholders provide feedback on identified risks to ensure they accurately represent the risk posture of Microsoft. After reviewing actions plans for identified risks and ensuring risks are assigned to the correct owners, the assessment concludes with an Enterprise Risk Management report for the Board of Directors that captures the opinion of Microsoft senior leadership.