Seite 152 - Cloud Migration Version 2012 english

152 
The Risk Management Association (RMA) defines the "principles of good risk 
management" using the following main steps:  
Risk identification: The opportunities and risks must ascertained, 
observed and reported in a complete, correct, timely and orderly 
manner.  
Risk assessment: Out of the risks thus identified, at least the ones 
that threaten the existence of the company will be determined and 
evaluated. 
Risk control: The correct measures are determined and initiated. This 
is done at a time when the counter measures, taking delays into 
account, can still be initiated quickly enough. 
Documentation and reporting of risks: The risks that have been 
identified and assessed and the measures that have been 
determined are to be clearly documented and reported.  
Under risk control, measures are differentiated as measures to prevent the 
occurrence of a risk, measures for the reduction of the probability that a risk 
will occur, and measures to reduce of the potential damage of a risk. 
An essential point for an effective risk management assessment is that it not 
only takes place at the beginning, but also regularly during the use of the 
Cloud services as part of the standard company audit processes. As both the 
risks, as well as the appropriate measures, can change over time whilst the 
Cloud services are being used.  
Such changes could be caused by: 
Organisational changes, e.g. increases or reductions in the 
workforce; expansion of the business; changes in the structure of the 
customer pool and in customer needs. 
Legal changes, especially changes concerning data protection. 
Technical changes, e.g. security aspects, new technologies, changes 
in the IT landscape of the company. 
Commercial changes, e.g. Cloud services with equivalent 
functionality and price advantages. 
Weighing up what kind of action is the most appropriate for risk 
management depends on the nature of the risk, and, on the economic level,