COSO in the Cloud
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages erm itg risk it-risk coso risk-management | 0 Comments | 2,351 Visits
If you haven't already seen it, it's worth a look – The Committee of Sponsoring Organizations of the Treadway Commission just published a thought paper dealing with risks related to cloud computing. It leverages off COSO's enterprise risk management framework, speaking specifically to issues surrounding hosted services delivered over the internet. The paper is geared not to the techie, but rather to management level personnel who need to understand not only the benefits, but also the associated risks. The paper briefly outlines the many benefits of cloud computing, including greater technology value at lower cost, faster speed of deployment, common technology platforms, reduced need for support personnel and related expenditures, and environmental benefits.
Naturally, most of the focus is on the risks. These include the strategic – with lower barriers of entry for new competitors and related challenge to current business models – and dependency on cloud service providers which in turn drives legal and related risks. Others include lack of transparency, reliability and performance issues, security and compliance concerns, and elevated risk of cyber attack or data leakage. The paper also deals with issues inherent in moving to the cloud, such as the extent to which management considers the impact on the company's organization and IT and other personnel resources, noting "In many cloud scenarios, the organization no longer has complete or direct control over technology and technology-related management processes. Management must determine if it has the risk appetite for the entire universe of potential events associated with a given cloud solution as some of these events extend beyond the organization's traditional borders and include some events that have an impact on the [cloud service provider(s)] supporting the organization."
The paper also discusses cloud issues in the context of COSO's ERM Framework's eight components, outlining how each can be addressed and used in evaluating cloud computing alternatives. It provides suggestions for dealing effectively with the more significant risks, and highlights key decisions to be made by senior management – as well as responsibilities of C-suite executives – and areas on which the board of directors needs to focus its attention. If your company is already in the cloud or considering going there, the paper is worth the read.