Introduction to Microsoft 365 risk management
Risk management is the process of identifying, assessing, and responding to threats or events that can impact company or customer objectives. At Microsoft, we prioritize effective risk management because a growing part of our business involves cloud-based services available across the spectrum of computing devices. Risk management at Microsoft is designed to anticipate new threats and provide ongoing security for our cloud systems and the customers who use them.
Microsoft's risk management process aligns with the Enterprise Risk Management (ERM) framework. ERM enables the overall enterprise risk management process and works with management across the enterprise to identify and ensure accountability for Microsoft's most significant risks. Our ERM program aligns with the ISO 31000:2009 Risk Management Standard and the Committee of Sponsoring Organization (COSO) Internal Control framework to ensure we follow industry best practices for risk management.
Microsoft ERM enables common risk management activities across the enterprise so business units can independently facilitate consistent and comparative risk assessments. ERM provides business units in Microsoft with common methodologies, tools, and goals for the risk management process. Microsoft 365 and other engineering groups and business units leverage these tools to conduct individual risk assessments as part of their own risk management programs under the guidance of ERM.
Microsoft 365 risk management teams follow ERM guidance to manage risks across Microsoft 365 services. The Microsoft 365 Risk Management program conducts interviews with the service teams that design, build, and operate Microsoft 365 services to identify current risks and areas of concern as part of ongoing risk assessment activities. These activities, along with additional analysis of continuous monitoring data, audits, and other sources, are used to develop risk assessment reports that identify current and possible future risks to long-term business goals. Risk assessment reports provide a high-level overview of Microsoft 365's risk posture based on our findings and feedback from Microsoft 365 teams. Together with similar reports from other business units, Microsoft 365 risk assessment reports contribute to and inform ERM program risk assessments.
Risk management is a critical exercise that enables Microsoft to protect our organization, individual business units like Microsoft 365, and our customers. This module describes how Microsoft manages risk at the enterprise level and details the specific activities Microsoft 365 uses to identify, assess, report, and monitor risks.