An enterprise risk management approach can help organizations make better decisions concerning the use of cloud computing, as well as help them address exposures associated with moving to the cloud.

Savings and efficiencies are key factors in many companies' decisions to move data to cloud computing service providers. At the same time, however, concerns over risks associated with the move challenge many organizations as they weigh cloud versus in-house information technology options.

According to some experts, the data owners often make a key mistake in assuming that the risks associated with placing data in the cloud are somehow fundamentally different than those associated with internal data applications.

“What happens today is they get all caught up in, "Do I want to be in the cloud or not?'” said Steven Minsky, CEO of ERM software and solutions provider LogicManager Inc. in Boston. “It's control of your data that you're concerned about, not whether control of that data is from an internally built application or the cloud.

“The biggest problem people have with cloud computing today is they think it's something different than what they're doing internally,” Mr. Minsky said. In considering cloud computing, purchasing applications or building applications internally, “People think of those as three different things.”

“When I was heading up the ERM at (United Services Automobile Association) one of the biggest problems we had was with our lawyers over the protection of sensitive information,” said Chris Mandel, executive vice president at enterprise risk management consultant and solutions provider rPM3 Solutions L.L.C. in Nashville, Tenn.

%%BREAK%%

About five years ago, while looking into the second iteration of ERM technology solutions for USAA, Mr. Mandel said he tried to make a case for a cloud-based solution “and the lawyers just hated that idea.”

“They viewed our ERM database from a risk standpoint as some of the most sensitive information about the company,” he said. “I lost that argument for the longest time on that basis.”

By 2009, “there was ultimately capitulation around this issue,” he said, but to reach that point he had to find a way to develop a strategy and a set of controls in an evolving environment. “Cloud-based computing now is on everybody's radar,” Mr. Mandel said. “Everybody needs to get where I had to get.”

Jim Whetstone, senior vice president and U.S. technology and privacy manager at Hiscox Inc. in Chicago, said that whether the data is in an internal application or with a cloud service provider, a key consideration is how sensitive your data is.

Think of data as though it was cash, he said: “You wouldn't just have a stack of $1,000 bills sitting around in your office unprotected.”

Mr. Minsky said an ERM approach helps organizations view the in-house vs. cloud risk debate in a proper framework.

“Enterprise risk management gets you out of this discussion,” he said. “What is enterprise risk management, and what is its contribution to everything? Whether you put cloud computing in there or you put compliance in there or you put lending in there, what does enterprise risk management do? It creates a set of standards.”

%%BREAK%%

When a company moves data to a cloud provider, risks include data security, implementation and user adoption, Mr. Minsky said.

“Enterprise risk management is about applying standards to these different silos,” Mr. Minsky said. “You're just saying, "I'm going to come up with a set of standards that apply across all these silos.'”

Defining those standards involves a risk assessment that identifies root causes of exposures, he said.

“By getting to the cause of the risks, you can figure out what the controls need to be,” Mr. Minsky said. Then a company can test how well the provider meets the standards.

Once that's done, “Then it just comes down to outsourcing, doesn't it? Then cloud computing doesn't sound so scary,” Mr. Minsky said. “Nobody's going to say, "I'm not going to outsource noncore activities anymore.'”

Mr. Mandel likened addressing exposures with cloud service providers to managing supply chain risks, with a company needing to make sure its cloud providers have good risk strategies and auditing those providers regularly to make sure those strategies are being implemented appropriately.

Discussing ways organizations can address cloud exposures, Mr. Whetstone said that contract language frequently favors the service provider, though service buyers may be able to negotiate favorable indemnification language with smaller cloud providers.

In those cases, he said, the service buyers need to consider whether the smaller cloud provider has the financial strength to meet those indemnification provisions should there be a data breach, outage or other incident, as well as potential aggregation issues if other service buyers have negotiated the same provisions.

%%BREAK%%

“It's going to be problematic when it comes to actually getting them to stand behind it,” Mr. Whetstone said.

And, he said, cloud service buyers need to be prepared to face various pricing options providing different levels of data security.

“It's almost as if you get a menu of the options that you have in terms of how the information you provide is secured,” he said.

Mr. Whetstone said brokers can be good resources as organizations look to assess and address risks associated with cloud computing services.

“Brokers do more than just place the insurance for their clients. They can help them understand what their exposures are,” he said. “The business entities can work with their brokers to start to understand what their exposures are even before they consider whether insurance is right for them.”