Microsoft’s cybersecurity risk management is an enterprise-wide discipline with a framework built on a structured risk management lifecycle and a governance model. Central to this is the Cybersecurity Governance Council, a cross-functional body composed of the Chief Information Security Officer (CISO), Deputy CISOs (DCISOs), and representatives from legal and regulatory affairs. This council convenes twice weekly to evaluate emerging risks, validate mitigation plans, and ensure alignment with enterprise priorities. At the operational level, DCISOs are accountable for reviewing, prioritizing, mitigating, and accepting risks within their domains. Risk acceptance decisions are tiered based on residual risk levels and aligned with Microsoft’s defined risk appetite. Foundational elements include listening systems, internal and external audits, current and pending regulation, incidents and media, and industry groups. The methodology covers a risk management framework, risk rating criteria, and a risk universe. Tools include Power BI, a risk portfolio and accountability matrix, and NIST cybersecurity assessments. Risk domains include cybersecurity, quality and availability, business resilience, corruption, digital safety and service misuse, product safety, sustainability, global trade, antitrust and regulation, talent management, data privacy, supply chain, financial, facility security and people safety, operational risk, and search.