This blog first appeared on August 4th, 2021

COSO released another guidance document last week, this one talking about how to apply COSO’s enterprise risk management framework for issues in cloud computing. Considering that just about every business under the sun is migrating to the cloud, and that the compliance risks within such migration can be considerable, let’s take a look at what COSO had to say.

The guidance was published last week — 44 pages long, free to all, and like most COSO risk management guidance we’ve seen lately, written in clear, non-technical language that any compliance, audit, or risk professional can understand.

This piece also follows the same pattern we’ve seen in prior COSO risk management guidance. It introduces the ERM framework overall (20 principles in all), and then explores how each principle can be tailored for the subject at hand. In this case the subject is cloud computing, but prior pieces of COSO guidance addressed ethics and compliance, cybersecurity, ESG issues, and other topics.

First, why is such guidance important at all? Because cloud computing has come to be a central IT strategy for most businesses today. From an operations perspective, that makes sense; cloud-based services are cheap and easy to install, and the vendors themselves are probably better at whatever business process you’re outsourcing than you are.

That said, the cloud also poses new risks for privacy, security, and compliance; plus risks around operational resilience if you outsource critical functions to a dud vendor that can’t deliver. So corporate boards, CISOs, audit executives, and compliance officers all have great need to understand what “migrating to the cloud” really means. This COSO guidance unpacks lots of those issues.

Examples of Cloud-Related Issues

One good example comes near the beginning of the guidance. One principle in COSO’s enterprise risk management framework, relating to proper governance and oversight, is “establishes operating structures.” That’s what senior leaders in an organization are supposed to do: establish operating structures so the business can achieve its objectives.

So how does that principle apply when the company is trying to embrace cloud computing?

Well, senior management might need to imagine new roles or responsibilities for various executives as the company moves away from on-premises technology and toward the cloud. For example, vendor risk management would become much more important, since the cloud-based vendors you use would pose more risks (both in absolute number of risks, and in each risk’s severity). Would you therefore redefine the CISO’s role to include vendor risk management — or the privacy officer’s role, or the IT manager’s role? Or would you create some entirely new “chief vendor risk officer” sort of role?

There’s no single correct answer to those questions. The point is that the board and senior management should think their way through such questions before making a large migration to the cloud. That’s what “establishing proper operating structures” means in this context.

Another good example comes from two other principles in the COSO risk management framework, “evaluates alternative strategies” and “formulates business objectives.”

A company can embrace any of several cloud models: public, private, even hybrid clouds. Each one carries different benefits and risks. The public cloud, for example, can be quite cheap; but your privacy risks and need for privacy assurance go up considerably. A hybrid system would be more expensive, but still leave you with more direct control over your data, and therefore over your privacy and compliance risks.

Which one is best? That depends. Your business could make a strategic decision to collect less personally identifiable information, meaning your privacy risks would decline and you could use cheap, public cloud systems more freely. Or maybe collecting all that PII is important enough that you want to keep collecting it, even if that means you spend more time and money to manage privacy and compliance risks among your cloud-based vendors.

Again, however, the point is that migrating to the cloud raises these new questions — questions about strategy, governance, performance, and so forth, that senior leaders previously didn’t need to consider. This COSO guidance is a good framing mechanism to understand the questions you should be pondering, to assure that you embrace this technology wisely.

And since it’s so informative, here’s a chart from COSO explaining the roles and responsibilities that exist under various cloud-computing models.

diagram: Responsibility by Cloud Deployment Model and Cloud Service Delivery Model
Source: COSO

Who Should Read This, Anyway?

Honestly, different executives could read and use this guidance for different reasons.

I could easily see a CISO using this guidance to help him or her build the business case for certain types of cloud computing; and how you’d lay down a strategy for better compliance in that cloud environment. This guidance would help you to anticipate the questions that your board would (or at least should) ask, about how migration to the cloud might affect business objectives and strategy.

I could also see internal auditors using this guidance to help frame the enterprise risk assessment as your organization moves into the cloud. You can better understand the strategic, technical, or compliance risks that arise from cloud computing; and the best practices a company should have in place to think its way through those risks.

And I could see board directors giving this guidance a read so they can understand what questions they should ask to be sure the CISO, or the IT auditor, or chief audit executive, is focused on the right priorities while moving into the cloud.

More broadly, anyone could put this guidance to good use, because cloud computing truly is that pervasive in the corporate world. One telling statistic from Gartner, included in the COSO guidance: two years ago, analysts expected that the cloud computing market today would be roughly $289 billion; which wouldn’t be surprising, because cloud computing had grown steadily through the 2010s.

The pandemic, however, put that adoption curve on steroids — so that the actual market today is estimated to be $305 billion, rather than the $289 billion projection Gartner had made before the pandemic.

Cloud computing is everywhere, and it’s here to stay. Businesses might as well understand how to use the cloud properly.