Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Plan key to cloud computing strategy

Reprints
Plan key to cloud computing strategy

A paper released this year, “Enterprise Risk Management for Cloud Computing,” produced by Crowe Horwath L.L.P. for the Committee of Sponsoring Organizations of the Treadway Commission, stressed the importance of a well-developed plan setting out the organization's cloud computing objectives and the specific role cloud computing will play.

“Some of the ERM prerequisites that should be factored into a quality cloud computing plan, and ultimately the cloud solution, are a strong governance model, a sound reporting structure, an accurate understanding of internal IT skills and abilities, and a defined risk appetite,” the paper said.

While it's “not uncommon for organizations to adopt cloud computing solutions without applying a formal risk evaluation or expending any effort to adjust its ERM or governance program,” best practice is to incorporate cloud governance in the early stages of defining a cloud computing strategy, the paper said. And, for organizations that adopted cloud solutions without following ERM best practices, performing a risk assessment and establishing cloud governance remains a prudent step.

“Unfortunately, sometimes people take all the easy steps,” said Warren Chan, principal at Crowe Horwath in Oak Brook, Ill., and one of the paper's authors. “Sometimes the benefits ... look very good, so they only look at the upside rather than the downside.

“What's happening is people are not doing an end-to-end evaluation of at least the critical points,” Mr. Chan said. There could be legal risks, business interruption exposures or other business risks, he said. And, he said, once companies engage a third-party provider, many times their risks expand.

“Just because I outsource the responsibility does not necessarily mean I've outsourced the liability,” Mr. Chan said. “Most of the cloud provider contracts that I've seen, if you've experienced any sort of problem or outage with the provider, your main form of compensation is credits.”