There’s a new COSO preacher in town. Are they a threat or an enabler of a peaceful and safe community? Should we embrace them and listen to their advice?
COSO's "Enterprise Risk Management for Cloud Computing" is an interesting document. I am not a fan, but if you are in IT or responsible for addressing IT-related risk, you might find it of some interest.
Cloud Computing Issues Aren't All That New
It starts reasonably well: "Leveraging cloud computing in some industries may have been a strategic advantage at one point. What the pandemic brought to light was the need for more remote and flexible work environments and the IT infrastructure to support the organization in that effort. Utilizing cloud computing has become an essential element to compete in the marketplace.
"The speed at which cloud computing can be procured and implemented is one of its many valuable traits. However, facing the inertia of accelerated access to cloud based capabilities, some organizations may not have had the capacity to implement appropriate controls designed to mitigate the risks in their cloud environments."
Let’s acknowledge, though, that cloud computing is not new. It has been with us for many years.
I am (just) old enough to remember some of the first database systems. I was a manager with a major public accounting firm, responsible for the technical IT audit approach, when I heard Tom Gilb address the British Computer Society.
Tom shared his experiences helping a major Swedish car company implement an integrated set of applications using one of the first database management systems from IBM on their newest and most powerful mainframes. He told us he was often asked about the differences in deploying database vs. traditional systems. His answer was: “It’s just another file structure.”
In many ways, cloud is similarly a simple evolution rather than a gigantic leap. Many of the issues related to managing a traditional outsourced computing system continue in a cloud environment. There are a few more challenges, but not so many that IMHO justify a publication from COSO specifically on cloud computing.
COSO would have done better if they had simply shared their thoughts on integrating IT-related risk into enterprise risk and performance (or success) management. (Actually, they would have done better to read and build on my book, "Making Business Sense of Technology Risk").
They get this right: "An organization’s management is responsible for managing the risk to the organization. Management must incorporate the board and key stakeholders into the ERM program so that risk management is integrated with the organization’s strategy and business objectives. Effective ERM involves multiple departments and functions; it should be integrated into the strategy of the organization and embedded into its culture. Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with the culture, and enhance value."
Related Article: Modernizing Legacy Tech: Big Bang or Piecemeal?
Start With Business Objectives, Not the Technology
The rest of the document takes each of the five components of the COSO ERM Framework and explains how they relate to cloud computing, with suggestions on how each of the related principles might be addressed.
But, and it is a huge but, the authors start with "Governance and Culture." Now I agree that is an important topic, but you don’t establish governance structures and processes before you understand the risks and related processes.
They are starting with the COSO model and plugging cloud into it, rather than understanding what risks (both positive and negative) flow from the use of cloud and only then determining what governance-related processes and structures are needed.
So, let’s leave COSO behind and take a far simpler approach:
- Understand what the organization is trying to achieve, its business objectives.
- Consider what might happen (a phrase I far prefer to the four-letter word starting with ‘R’) that could affect the achievement of those objectives: the extent and likelihood of achievement.
- Include consideration of both what is needed to go right (to achieve enterprise business objectives) and could go wrong.
- Understand how the above depend on or are the consequences of the use of technology. You might define a subset of things that involve cloud computing.
- Given all that, are we OK? Is the likelihood of success (achieving enterprise business objectives) acceptable?
- If not, what are you going to do about it?
- Is it best to change processes and such that relate specifically to cloud, or is there a better way?
One concern with starting with a focus on cloud, as this COSO guidance does, is you might end up dedicating scarce resources to a source of minimal risk to the enterprise.
There is, as always, more to be said. The COSO document can be of value by considering all of its detailed suggestions as food for thought, but I cannot recommend adopting it as a framework.
I welcome your thoughts.