In a constantly evolving world of technology, information processing has progressed from mainframes to personal computers to the web. With this shift in processing, the adoption of cloud computing has become extremely attractive to companies. Delivering a range of services across the internet, cloud computing increases business model capabilities and the ability to meet demand while avoiding investments in infrastructure, personnel, and software. Advancements in virtualization, system resource management, and the internet have led to the introduction of cloud computing as a viable alternative for companies. While several benefits arise from the utilization of cloud computing, enterprises also face new risks. The emergence of these new risks pushed the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to create and establish a framework to facilitate the identification of risks and the mitigation of strategies with the evolution of cloud computing.

Benefits of Cloud Computing


  • Cost Savings – Customers pay for only the services they use instead of purchasing equipment.
  • Speed of Deployment – Cloud service providers can meet the need for computing resources much quicker than most internal IT functions.
  • Scalability and Better Alignment of Technology Resources – An organization may scale up or down its server capacity without any additional expenses.
  • Decreased Effort in Managing Technology – Since the company does not own or operate the IT function, they can spend more time on its core purpose and goals.
  • Environmental Benefits – If more companies converted from data centers to cloud computing, there would be less overall power consumption and carbon emissions.


Establishing Cloud Computing Governance


  An organization’s existing ERM program may require adjustment due to the implementation of cloud computing. The degree of adjustment depends on the business processes the cloud supports, the deployment model, the service delivery model, and the nature of the engaged cloud service provider (CSP)’s risk and control environment. It is the responsibility of management to determine if the company has the risk appetite for the array of possible events that come with a given cloud solution because some of these events extend beyond the organization’s borders.

  COSO’s   Enterprise Risk Management – Integrated Framework can be utilized by management to identify the ideal configuration of cloud solution options that best fit alongside the company’s risk appetite. The evaluation of each component of the COSO ERM framework enables management to identify the related risks and mitigation strategies of each cloud solution scenario. Management may then use this evaluation to make risk management and governance decisions.

  With the utilization of a cloud computing system, the organization’s data and processes are stored on a shared environment. The behavior and events of the CSP could have a direct impact on the organization. Since the risks of the CSP have the ability to impact its cloud customers, these risks must be incorporated into the risk profile of all customers. It is for this very reason that management must consider risk-related information about its fellow tenants.

Risks & Risk Responses of Cloud Computing


  • Risk One: Lack of Transparency – A CSP is unlikely to share detailed information about its processes, operations, and controls.
             Response:   Assessments of the CSP Control Environment
  • Risk Two: Security Concerns – In the cloud, data is located on a hardware outside of the company’s direct control<  
             Response:   Data Classification Policies and Processes
  • Risk Three: Cyber Attacks – The consolidation of multiple organizations within one CSP presents a more attractive target than a single organization.  
             Response:   Incident Management
  • Risk Four: Vendor Lock-In – CSPs offer application software with their cloud solutions. These tools create applications that work only within the CSP’s specific solution architecture. Consequently, these applications might not be compatible with systems outside of the cloud solution.  
             Response:   Preparation of an Exit Strategy

  Cloud solutions can pose new challenges to ERM programs. In order for the programs to operate effectively, management must understand any potential risks along with well-developed risk mitigation and acceptance strategies. Through the utilization of the COSO ERM framework, companies can be well equipped to identify the array of risks and risks responses that each cloud computing opportunity and decision entails. Proper implementation of cloud computing systems could yield a multitude of benefits for businesses but executives must first be aware of the risks and issues that could possibly arise.

Link: COSO's Enterprise Risk Management for Cloud Computing, June 2012

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2018-06-26