A paper released this year, “Enterprise Risk Management for Cloud Computing,” produced by Crowe Horwath L.L.P. for the Committee of Sponsoring Organizations of the Treadway Commission, stressed the importance of a well-developed plan setting out the organization's cloud computing objectives and the specific role cloud computing will play.
“Some of the ERM prerequisites that should be factored into a quality cloud computing plan, and ultimately the cloud solution, are a strong governance model, a sound reporting structure, an accurate understanding of internal IT skills and abilities, and a defined risk appetite,” the paper said.
While it's “not uncommon for organizations to adopt cloud computing solutions without applying a formal risk evaluation or expending any effort to adjust its ERM or governance program,” best practice is to incorporate cloud governance in the early stages of defining a cloud computing strategy, the paper said. And, for organizations that adopted cloud solutions without following ERM best practices, performing a risk assessment and establishing cloud governance remains a prudent step.
“Unfortunately, sometimes people take all the easy steps,” said Warren Chan, principal at Crowe Horwath in Oak Brook, Ill., and one of the paper's authors. “Sometimes the benefits ... look very good, so they only look at the upside rather than the downside.
“What's happening is people are not doing an end-to-end evaluation of at least the critical points,” Mr. Chan said. There could be legal risks, business interruption exposures or other business risks, he said. And, he said, once companies engage a third-party provider, many times their risks expand.
“Just because I outsource the responsibility does not necessarily mean I've outsourced the liability,” Mr. Chan said. “Most of the cloud provider contracts that I've seen, if you've experienced any sort of problem or outage with the provider, your main form of compensation is credits.”