10   |   Enterprise Risk Management for Cloud Computing   |   Thought Leadership in ERM






        In cases where a cloud solution has already been   Management needs to consider external environmental
        implemented, the COSO ERM framework can be used to   factors (e.g., regulatory, economic, natural, political, social,
        establish, refine, or perform a quality assurance check of   and technological), as well as the organization’s internal
        the cloud governance program by ensuring that all major   factors (e.g., culture, personnel, and financial health), as
        aspects of the program (e.g., objectives, risk assessment,   part of the process when identifying and assessing risk
        and risk response) have been addressed with respect to   events. With the use of public or hybrid cloud solutions,
        management’s requirements. An effective cloud governance   management needs to take into consideration events
        program can still be achieved by applying the COSO ERM   affected by external and internal factors of its CSP as
        framework after the implementation of a cloud solution.  well. Management should endeavor to have a complete
                                                          inventory of events, since the nature and quality of the
        The best-practice situation is when management uses the   risk assessment process is significantly influenced by the
        COSO ERM framework to identify the ideal configuration of   expected events.
        cloud solution options (i.e., business process, deployment
        model, and service delivery model) that fits management’s   Risk Assessment – Management should evaluate the risk
        risk appetite. By evaluating the cloud solution candidates   events associated with its cloud strategy to determine the
        in the context of each component of the COSO ERM   potential impact of the risks associated with each cloud
        framework, management can succinctly identify the related   computing option. Ideally, risk assessments should be
        risks and desired risk acceptance or mitigation strategies   completed before an organization moves to a cloud solution.
        with each cloud solution scenario (as risks will vary with
        each combination of options). This evaluation will enable   Cloud computing can affect the following critical focal
        management to make prudent risk management and    points of a risk assessment:
        governance decisions in selecting its ideal set of cloud solution
        options and creating a well-thought-out cloud governance   • Risk profile – An organization’s risk profile encompasses
        program before the cloud solution is implemented.  the entire population of risks it must manage. When a
                                                           cloud solution is adopted, an organization’s risk profile
        The remaining material of this section elaborates on some   is altered due to changes in the likelihood of risks, the
        of the key concepts with respect to evaluating cloud   potential impact of the risks, and the inclusion of a subset
        solution candidates through each of the components of the   of the CSP’s risk universe (refer to “Risk Profile Impact of
        COSO ERM framework:                                CSPs and Fellow Cloud Tenants” discussion at the end of
                                                           this section).
        Internal Environment – The internal environment
        component serves as the foundation for and defines the   • Inherent and residual risk – An organization must assess
        organization’s risk appetite in terms of how risks and   the inherent risks of the events and then develop risk
        controls are viewed. For instance, if management has a   responses and determine the residual risk. Depending
        policy of not outsourcing any of its operations (i.e., there   on the organization, the non-cloud computing solutions’
        is a culture of risk avoidance), this policy will limit the   inherent and residual risk levels could be either greater
        viable options for cloud deployment and service delivery   or less than those of the cloud computing options.
        models so that private cloud solutions might be the only
        acceptable alternative.                           • Likelihood and impact – The likelihood of certain events
                                                           and the related potential impact change in many cases
        Objective Setting – Management needs to evaluate how   when cloud solutions are adopted. The ability to make
        cloud computing aligns with the organization’s objectives.   this determination accurately depends on whether the
        Depending on the circumstances, cloud computing might   organization has a comprehensive, accurate, and current
        present an opportunity for the organization to enhance its   inventory of risks.
        ability to achieve existing objectives, or it might present an
        opportunity to gain a competitive advantage, which would   In some situations, management will not have access to all
        require new objectives to be defined.             the required information related to the CSP’s internal control
                                                          environment; consequently, certain assumptions will have to
        Event Identification – Management is responsible for   be made in order to complete the risk assessment.
        identifying the events (either opportunities or risks) that can
        affect the achievement of objectives. The complexity of event
        identification and risk assessment processes increases when
        an organization engages cloud service providers.




        w w w . c o s o . o r g