Understand risk response, monitoring, and reporting

  • 3 minutes

Following the risk assessment process, the Microsoft 365 Trust team identifies risk owners and works with service teams to respond appropriately to each risk. The risk mitigation process leverages existing Microsoft 365 engineering, service operations, and compliance workflows to enable timely action and accurate reporting. Risk response, monitoring, and reporting activities are iterative and focus on continuously evaluating progress towards addressing high-level risks facing Microsoft 365.

Risk response

The Microsoft 365 Trust team coordinates with service teams to respond appropriately to risks according to risk severity. Risk response strategies fall into four categories:

  • Tolerate: Areas of low-risk exposure with a low level of control.
  • Operate: Areas of low-risk exposure where controls are deemed adequate.
  • Monitor: Areas of high-risk exposure where controls are deemed adequate and should be monitored for effectiveness.
  • Improve: Areas of high-risk exposure with a low level of control that are top priority in addressing.

Affected service teams work with the Microsoft 365 Trust team to develop detailed action plans to respond to risks identified for their services. The risk severity assigned as part of the risk assessment determines the appropriate level of review and approval for these plans. The Microsoft 365 Trust team tracks high-level risks and coordinates with service teams to ensure action plans are implemented effectively. Risk owners meet regularly with the Microsoft 365 Trust team to update risk scores and evaluate progress towards addressing identified risks.

Risk monitoring and reporting

Risks identified as part of the risk assessment are monitored and reported to relevant stakeholders. Regular meetings between risk owners and the Microsoft 365 Trust team include a review of monitoring results to evaluate the progress of the action plan towards addressing identified risks. If monitoring indicates that the plan is not effectively addressing identified risks, the action plan is updated as part of ongoing risk management.

Monitoring and reporting data from Microsoft 365 Risk Management is incorporated into Microsoft 365 risk assessment reports. Microsoft 365 management reviews these reports and provides accountability for risks within Microsoft 365. Microsoft 365 risk assessment reports also inform ERM program risk assessments along with similar reports from other Microsoft business units.