January 12, 2022
Cloudy With a Chance of Computing
Has your organization recently implemented cloud computing for the first time or upgraded its cloud computing capabilities? You are not alone. The pace at which cloud computing is adopted continues to accelerate across many industries, including insurance.
COSO introduces Cloud Computing Integration into ERM
In response to rapid adoption of cloud computing, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a publication, Enterprise Risk Management (ERM) for Cloud Computing (the publication) to assist organizations with identifying the risks associated with cloud computing and create a framework to address those risks. The publication states that,
“Utilizing cloud computing has become an essential element to compete in the marketplace.”
This bold statement suggests that cloud computing capability is becoming a basic requirement of doing business in many industries. The publication utilizes the five components and twenty principles (shown below) established in COSO’s 2017 document, ERM: Integrating With Strategy and Performance and tailors each one to cloud computing, highlighting how management and those charged with governance should consider cloud computing and bake it into the risk management process.
The publication provides helpful information for organizations with newly established cloud computing capabilities while being broad enough to provide useful information for organizations with established ERM activities and cloud computing processes. Using the framework and roadmap outlined in the publication will enable organizations to better manage risks associated with cloud computing activities. While the publication’s authors provide detailed instructions on how the COSO ERM framework components and principles can be applied to cloud computing, an inherent theme of success lies beneath the surface, which is understanding business processes and risks.
Organizations must have a clear understanding of their business processes and how those processes can or are using technology. This may seem like a simple task but the ever-changing technological landscape combined with organizational pressure to be on the cutting edge of advancements can create an environment that allows leaders to rationalize certain decisions without a robust understanding of the long term impacts, including new risks associated with changing technology.
Spotlight on Strategy
The governance and culture component certainly has a place in the framework as it establishes a tone at the top that supports technology goals and provides adequate resources and supervision to allow for success. However, successful management of technology risks requires a particular focus on the second component, strategy and objective-setting. Drilling down to the four principles of this component reveals why:
Each of the above principles supports understanding or considering future or unknown events, all aspects of the organization, and organizational goals and priorities. Collectively these are major drivers behind strategy and objective-setting however they will vary depending on an organization’s size and maturity.
Leaders who spend the time to develop a cloud technology strategy and integrate it into their risk management program will be able to make better technology decisions. An organization considering cloud computing should evaluate the various cloud computing alternatives against the overall business priorities to ensure alignment. Each alternative presents a different set of risks so ensuring that a technology solution fits into the organization’s established risk appetite and strategy is essential.
Understanding how cloud computing fits into the organization’s overall strategy reduces unknown risks associated with each of the five components. As stated in COSO’s 2017 publication, “By knowing the risks that will have the greatest impact on the entity, organizations can use enterprise risk management to help put in place capabilities that allow them to act early. This will open up new opportunities.” Organizations that can proactively identify and act on opportunities may create a competitive advantage for themselves.