Microsoft 365 Risk Management overview
The Microsoft 365 Risk Management program is an independent program that aligns with the Enterprise Risk Management (ERM) program and its risk management policies. This enables a consistent and comparative approach to risk management across business units and engineering groups. ERM program alignment prioritizes and directs Microsoft 365's risk management activities, which ultimately roll up into the ERM risk management process.
Microsoft 365 Trust is responsible for supporting assurance operations related to policy compliance and security requirements, as well as risk management. Microsoft 365 Trust works to identify new risks as they emerge and monitor known risks and risk responses. The success and failure of risk responses are tracked to develop and inform analysis of risk likelihoods and impacts. As part of risk management, Microsoft 365 Trust analyzes design and operating effectiveness of controls implemented as part of the Microsoft 365 Controls Framework. Feedback from Microsoft 365 service teams and continuous monitoring data from Microsoft 365 environments inform the risk management process.
Microsoft 365 risk management activities fall into four phases: identification, assessment, response, and monitoring and reporting. Risk management in Microsoft 365 is an ongoing, iterative process that incorporates feedback from risk owners, critical services, and key business areas, as well as analysis of audit findings and control implementations. Regular risk review meetings with risk owners enable Microsoft 365 Trust to update and manage action plans as needed. Risk assessment results are reviewed and validated with Microsoft 365 management and incorporated into ERM's Risk Assessment Report for the Microsoft Board of Directors.