Risk Management and Cloud Computing
There’s a new COSO preacher in town. Is he or she a threat or an enabler of a peaceful and safe community?
Should we embrace him or her and listen to their advice?
Enterprise Risk Management for Cloud Computing is an interesting document.
I am not a fan of the document, but if you are in IT or responsible for addressing IT-related risk you might find it of some interest.
It starts reasonably well with:
Leveraging cloud computing in some industries may have been a strategic advantage at one point. What the pandemic brought to light was the need for more remote and flexible work environments and the IT infrastructure to support the organization in that effort. Utilizing cloud computing has become an essential element to compete in the marketplace.
The speed at which cloud computing can be procured and implemented is one of its many valuable traits. However, facing the inertia of accelerated access to cloud based capabilities, some organizations may not have had the capacity to implement appropriate controls designed to mitigate the risks in their cloud environments.
Let’s acknowledge, though, that cloud computing is not new. It has been with us for many years.
I am (just) old enough to remember some of the first database systems. I was a manager with a major public accounting firm, responsible for the technical IT audit approach, when I heard Tom Gilb address the British Computer Society.
Tom shared his experiences helping a major Swedish car company implement an integrated set of applications using one of the first database management systems from IBM on their newest and most powerful mainframes.
He told us that he was often asked about the differences in deploying database vs. traditional systems. His answer was:
“It’s just another file structure.”
In many ways, cloud is similarly a simple evolution rather than a gigantic leap. Many of the issues related to managing a traditional outsourced computing system continue in a cloud environment. There are a few more challenges, but not so many that IMHO justify a publication from COSO specifically on cloud computing.
COSO would have done better if they had simply shared their thoughts on integrating IT-related risk into enterprise risk and performance (or success) management. (Actually, they would have done better to read and build on my book, Making Business Sense of Technology Risk).
They get this right:
An organization’s management is responsible for managing the risk to the organization. Management must incorporate the board and key stakeholders into the ERM program so that risk management is integrated with the organization’s strategy and business objectives. Effective ERM involves multiple departments and functions; it should be integrated into the strategy of the organization and embedded into its culture. Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with the culture, and enhance value.
The rest of the document takes each of the five components of the COSO ERM Framework and explains how they relate to cloud computing, with suggestions on how each of the related principles might be addressed.
But, and it is a huge but, they start with Governance and Culture. Now I agree that is an important topic, but you don’t establish governance structures and processes before you understand the risks and related processes.
They are starting with the COSO model and plugging cloud into it, rather than understanding what risks (both positive and negative) flow from the use of cloud and only then determining what governance-related processes and structures are needed.
So, let’s leave COSO behind and take a far simpler approach:
- Understand what the organization is trying to achieve, its business objectives.
- Consider what might happen (a phrase I far prefer to the four-letter word starting with ‘R’) that could affect the achievement of those objectives: the extent and likelihood of achievement.
- Include consideration of both what is needed to go right (to achieve enterprise business objectives) and could go wrong.
- Understand how the above depend on or are the consequences of the use of technology. You might define a subset of things that involve cloud computing.
- Given all that, are we OK? Is the likelihood of success (achieving enterprise business objectives) acceptable?
- If not, what are you going to do about it?
- Is it best to change processes and such that relate specifically to cloud, or is there a better way?
One concern with starting, as this COSO guidance does, with a focus on cloud is that you might end up dedicating scarce resources to a source of minimal risk to the enterprise.
There is, as always, more to be said. The COSO document can be of value by considering all of its detailed suggestions as ‘food for thought’.
But I cannot recommend adopting it as a framework.
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Correct. In the late 1970s when databases were coming into being, the AICPA and the Canadian CA Institute put together a task force to research and recommend what should be done from an audit point of view regarding databases. My boss was on the task force. After many months and meetings and dollars, a VERY slim booklet of a few pages was published with little to say. It was just a different file structure.
That’s a great story, John. Cloud computing, however, is not a different file structure; it’s the same file structure. It’s rather just a different network. Cloud computing simply means you’re using someone else’s computer!
When computers where invented and developed further, the first business applications involved supporting administrative prococesses like financial accounting and payroll. How, ever they were to expensive for the average company. So data centers where founded that supplied accounting and payroll services. Punchcards for dataentry. No internet yet. Maybe slow modem connections. Challenge to make sure your data was seperated from other customers and processing was correct. The start of EDP/IS/IT-audit and publications how to control this (e,g, an Audit approach to computers (Jenkings & Pinkney)or EDP-audit (Ron Weber)). The first versions of SOC reports where developed (like SAS-77).
This changed when computers became cheaper and every company could buy them.
Now we see that IT has become so complex (what in the past was done by one device is now seperated over many devices) and IT-management so expensive that cloud computing may offer a beter solution.
Some material of those old books is of value again: no matter what you bring to the cloud, management is still responsable and will have to put the right set of controls to control this.
I’m perplexed when people start talking about cloud computing as if its the next revolution in the world of technology! It simply is using centralized computing resources, that is no longer managed by your organization. You have out-sourced the computing power and support infrastructure of a skilled-labor and can scale up or down as your business needs arise. Yes there are some pros of this as would be expected but none of which are revolutionary and certainly the risks have not been reduced and in fact if anything the ‘what could go wrong’ increases yet companies are relaxed under a heap of lawyer-jargon of an agreement.