When an organization outsources its backup and recovery procedures to a third-party cloud provider, the risk practitioner should validate control effectiveness and update the risk register. This ensures that the controls implemented by the third-party provider are effective and that any changes to the risk profile are accurately reflected in the risk register. This step is crucial to maintain an accurate understanding of the current risk environment and to ensure that any new risks introduced by the outsourcing arrangement are appropriately managed.