Organizing your risk management in the cloud

Companies have (partially) transferred their IT to the cloud with the usual suppliers (primarily Microsoft, Amazon and Google), managed by an IT agency. However, the risk management function is often not explicitly assigned in this context. The consequences are failure to recognise vulnerabilities in the IT organisation and the associated business risks that ultimately harm business continuity.

Such a situation is unnecessary if the role of a risk manager is assigned internally or externally so that vulnerabilities are identified on time, after which management takes effective and appropriate control measures. On MS 365 and Az tenants, a company can easily organise such a situation and thus ensure that data processing takes place securely and IT costs are kept within limits.

Risk do not disappear in the cloud

Companies are increasingly moving to cloud applications, allowing them to greatly simplify their IT landscape and better management internally or externally. The costs are also significantly reduced. Nevertheless, it is still important to pay close attention to where business risks can arise, who is responsible for mitigating risks and accountability.

An IT risk manager supports the company in managing the risks in the IT landscape. They help the company discover and list vulnerabilities in business processes that lead to risks and prioritise effective control measures. By establishing an explicit segregation of duties between managing the IT landscape internally or externally (in the cloud) and risk management, the company ensures that the IT landscape administrator remains alert to identify the business risks and costs of IT.

How can we help you?

Do you have questions about organizing, implementing or expanding your riskmanagement in the cloud? Our service owner, Caroline Willemse or her colleagues, would be happy to discuss your specific case.

Many companies can suffice with so-called SaaS applications in which the supplier is responsible for keeping the application operational and the company for access security and data management.

The risk manager has an essential role in selecting the SaaS application. The supplier is responsible for the application’s security. However, verifying whether the supplier has taken this responsibility is highly recommended. Suppose the supplier has not properly arranged the continuity of the application, then that can become a significant problem for a company.

It is also a ‘must’ that the application offers the possibility to bear one’s responsibility properly. For example, the application must properly set up roles to which powers and responsibilities are linked, and control must be possible. A link with Azure Active Directory (AAD) is required to enable single sign-on (SSO). Also, it is essential for risk management that the activities are supported by IT; for example, with Security centre, Defender and/or Sentinel from MS 365 and Azure tenants.

Therefore, when selecting Saas applications, all aspects should be considered.

A company has more responsibilities when (also) using the IaaS and PaaS platforms. With a bit of imagination, you can say that IaaS and PaaS are the foundations from which an application should emerge.

The risk manager’s task is to ensure that the IaaS and/or PaaS platforms are organised in a manageable manner so that control is possible, and the risk of error is minimised. Standardisation should be the norm.

Advice from a risk manager also has added value when selecting cloud services that companies offer on the infrastructure of the major cloud providers. After all, these companies must also demonstrate that their services are safe and that their responsibilities and accountability must be contractual.

It is not always possible for companies to transition to the cloud in one go for various reasons. Then a hybrid situation arises; the company is in the cloud but locally maintains IT hardware and software.

The result is that the company is in a complex situation, making management complex. Both environments have their risk profile, and risk management is duplicated. A risk manager can support setting up risk management.

In the Netherlands, the use of Microsoft 365 is almost standard. However, many companies do not realise the possibilities that Microsoft 365 offers for performing risk management. Vulnerabilities are reported to Defender and can be followed up. It is possible to expand the scope of Defender with cloud environments at Microsoft and/or other cloud providers and the local (on-premises) environment.

The outcome of the risk management with Defender is also vital in demonstrating that appropriate security measures have been taken to protect personal data.

It appears to be difficult for companies to assess the vulnerabilities in Defender and to oversee the impact. Therefore, the risk manager offers added value to help the company resolve these vulnerabilities.

Coordinated Vulnerability Disclosure

In addition to reporting internal vulnerabilities by Defender, a company can also promote the reporting of vulnerabilities that have been identified externally. Reporting requires a Coordinated Vulnerability Disclosure policy and publication on the website. See here.

The risk manager also includes these external signals in his risk management.

Risk management, in particular IT risk management, detects and registers internal and external vulnerabilities, estimates business risks and advises on taking effective control measures. Internal or external management implements controls through which the company protects its business continuity.

The applied segregation of duties between management and risk management requires the management’s approval and the employees’ understanding. In addition, knowledge and change management may be necessary depending on the goals of setting up risk management.

We formulate concepts for companies to organise risk management, particularly IT risk management. We provide training programs for management and employees and can take on the role of (IT) risk manager for companies on a structural or incidental basis.

More about risk management in the cloud

Do you have questions or need an appointment?

Feel free to contact us on +31 0 (70) 392 22 09 or Please make an appointment with Caroline Willemse or a professional from her team.