6   |   Enterprise Risk Management for Cloud Computing   |   Thought Leadership in ERM



        4. Changes in the Business Operating Environment with Cloud Computing

        An organization should recognize the risks and other   and the involvement of very few personnel. The equation
        effects cloud computing can have on its operating   of big investment equals big impact is different with cloud
        environment and account for them in its ERM programs.   computing, where a small investment can have a big
        In some cases, cloud computing can easily enter into   impact. The need to expend a great amount of effort to
        an organization while bypassing typical management   analyze cloud computing risks and perform the related
        oversight controls. When an organization invests   due diligence may be counterintuitive. Consequently,
        significant resources in an endeavor that could take   management could neglect to perform time-consuming
        months or years to complete, conventional processes   steps such as confirming compliance with legal or
        and controls require management’s involvement and   regulatory requirements or evaluating the potential impact
        approval. Such endeavors are highly likely to attract senior   of the CSP on the organization’s operations and risk profile.
        management’s attention in the form of risk assessments,   Exhibit 4.1 illustrates how with cloud computing, some
        audits, and steering committees.                  of the typical control trigger points (such as personnel
                                                          resources and required finances) might not reach the
        Some cloud solutions can easily be adopted within a short   levels that would typically invoke the oversight of
        period of time while requiring a small monetary investment   senior management.


          Exhibit 4.1 Cloud Solutions Can Be Adopted While Eluding Management Oversight


























        It is paramount that management also understands that   Specifically, the maximum amount of control and least
        with most cloud solutions (with the possible exception of   amount of inherent risk are associated with an IaaS (private
        an internal private cloud) the organization has less direct   cloud) solution. In contrast, with a SaaS (public cloud)
        control of the solution and consequently a higher level of   solution, the organization retains the least amount of control
        inherent risk.                                    and must accept the highest level of inherent risk. In all
                                                          cases, management should evaluate the cloud deployment
        For example, an organization using a SaaS (public cloud)   and delivery models in the context of acceptable risk levels
        solution has shifted responsibility for some or all of its   as this will determine the preferred type of cloud computing
        IT functions, including controls, to a third-party provider.   environment and related requisite controls.
        Exhibit 4.2 illustrates the degree of control the organization
        retains and relinquishes, depending on the type of cloud
        service delivery and the deployment model.













        w w w . c o s o . o r g