152
The Risk Management Association (RMA) defines the "principles of good risk
management" using the following main steps:
Risk identification: The opportunities and risks must ascertained,
observed and reported in a complete, correct, timely and orderly
manner.
Risk assessment: Out of the risks thus identified, at least the ones
that threaten the existence of the company will be determined and
evaluated.
Risk control: The correct measures are determined and initiated. This
is done at a time when the counter measures, taking delays into
account, can still be initiated quickly enough.
Documentation and reporting of risks: The risks that have been
identified and assessed and the measures that have been
determined are to be clearly documented and reported.
Under risk control, measures are differentiated as measures to prevent the
occurrence of a risk, measures for the reduction of the probability that a risk
will occur, and measures to reduce of the potential damage of a risk.
An essential point for an effective risk management assessment is that it not
only takes place at the beginning, but also regularly during the use of the
Cloud services as part of the standard company audit processes. As both the
risks, as well as the appropriate measures, can change over time whilst the
Cloud services are being used.
Such changes could be caused by:
Organisational changes, e.g. increases or reductions in the
workforce; expansion of the business; changes in the structure of the
customer pool and in customer needs.
Legal changes, especially changes concerning data protection.
Technical changes, e.g. security aspects, new technologies, changes
in the IT landscape of the company.
Commercial changes, e.g. Cloud services with equivalent
functionality and price advantages.
Weighing up what kind of action is the most appropriate for risk
management depends on the nature of the risk, and, on the economic level,
