There is no bigger challenge for IT Departments today than in managing the Risk associated with the technology choices they make to help drive business process forward for the LOB (Lines of Business) that they support. The concept is not something that is new for IT but the low barrier of entry for Cloud Computing Services make it all to attractive for non-IT executives to jump on board and get started…at times without considering the consequences.
I came across a very interesting white paper that lays out an Enterprise Risk Management for Cloud Services and thought it worth the synopsis and sharing of the document. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a group of 5 private organizations (American Accounting Association, American Institute of CPA’s, Financial Executives International, Institute of Management Accountants, and the Institute of Internal Auditors) that’s mission is to provide thought leadership through the development of frameworks and guidance in Enterprise Risk Management (ERM) among other items.
I personally think that the Cloud is a great equalizer but there is inherently Risk that comes from giving up control of your data. The White Paper Enterprise Risk Management for Cloud Computing does a great job of laying out both what to look for but also what to measure in the long term. The document strives to define cloud computing and of all the attempts at placing a single definition of the nebulous cloud I think they nailed it right on the head.
The real value of this White Paper though comes from the Governance model that they deploy and by far the greatest risk is that Cloud Services can be deployed without ANY Management oversight and the overall stages of the Cloud Governance Model that ends with a strong continual monitoring environment.
The governance model suggests looking at several key points to help measure and find the individual risk profile and risk tolerance levels and in the number of discussions that I have had with my clients in the past several weeks…these questions and the governance model…would be very well received.
- The Cloud is a Disruptive Force both to the business and to the technology landscape in general. Accepting the new pattern starts with a keen understanding of the Risks and the Rewards.
- Lack of Transparency is a challenge for Cloud Service Providers (CSP) but that Transparency becomes a Risk Profile issue for both the CSP and the Customer…no transparency bad for Customer…too much transparency bad for CSP
- Security and Compliance will continue to be Cloud’s Achilles Heal for some time and as nearly every current regulation is being redrafted to take the Cloud into consideration…look to compliance before making the leap.
- Your organization may be off the radar for most serious Cyber Attacks but when your information is stored along side several high-profile customers of the CSP…and a breach occurs…well you get the picture
- IT Organizational Changes come from the move to the Cloud. Some of these are good as the roles within IT have seen a significant shift to more focus on the Business Analyst role for some time…but any Organizational Change brings with it new risk
- CSP Viability comes into question for an industry that overnight (if 2 decades and the transition from Managed Services to Cloud Services doesn’t count) but with hundreds of new Cloud Service Providers popping up daily…how long can their business models survive? Will that provider be around in 2 years?
There are great rewards that do come with the move to the Cloud, but as with any Risk Management exercise it is as much about the measurement of Risk Tolerance as it is about reducing all risk to ZERO!
The COSO Enterprise Risk Management Framework does a good job in aligning business goals without exposing an organization to undo risk.
Just as we all learned in elementary school, much of what Risk Management is a simple exercise in LOOK BEFORE YOU LEAP. So read through the COSO Whitepaper and even look through the rest of the www.coso.org to find your right balance and establish your own Risk Tolerance profile.
Cheers and Happy Tuesday!
Chris J Powell