Fitting IT-Associated Chance Into Broader Enterprise Goals

There is a new COSO preacher in town. Are they a risk or an enabler of a tranquil and secure community? Need to we embrace them and listen to their guidance?

COSO’s “Organization Chance Management for Cloud Computing” is an exciting document. I am not a admirer, but if you are in IT or liable for addressing IT-associated risk, you may possibly obtain it of some interest.

Cloud Computing Challenges Aren’t All That New

It begins moderately properly: “Leveraging cloud computing in some industries may possibly have been a strategic edge at one level. What the pandemic brought to gentle was the want for a lot more remote and flexible function environments and the IT infrastructure to aid the business in that work. Employing cloud computing has come to be an important ingredient to compete in the marketplace.

“The speed at which cloud computing can be procured and implemented is one particular of its several worthwhile characteristics. Even so, facing the inertia of accelerated entry to cloud centered abilities, some businesses may not have had the capacity to put into action suitable controls designed to mitigate the hazards in their cloud environments.”

Let’s accept, however, that cloud computing is not new. It has been with us for lots of decades.

I am (just) aged sufficient to try to remember some of the to start with databases devices. I was a manager with a big community accounting agency, dependable for the technological IT audit solution, when I heard Tom Gilb deal with the British Laptop or computer Modern society.

Tom shared his activities serving to a significant Swedish car firm put into practice an integrated set of apps applying just one of the initial databases administration methods from IBM on their most recent and most potent mainframes. He explained to us he was typically questioned about the discrepancies in deploying database vs. classic systems. His remedy was: “It’s just another file composition.”

In lots of strategies, cloud is similarly a very simple evolution somewhat than a gigantic leap. Several of the concerns similar to controlling a standard outsourced computing process proceed in a cloud natural environment. There are a few additional problems, but not so numerous that IMHO justify a publication from COSO especially on cloud computing.

COSO would have performed much better if they experienced only shared their feelings on integrating IT-related danger into enterprise risk and overall performance (or good results) management. (Essentially, they would have done improved to read through and construct on my guide, “Creating Company Feeling of Technology Hazard“).

They get this right: “An organization’s management is dependable for controlling the risk to the corporation. Administration will have to incorporate the board and crucial stakeholders into the ERM software so that hazard administration is built-in with the organization’s method and company objectives. Helpful ERM will involve a number of departments and capabilities it ought to be integrated into the approach of the business and embedded into its lifestyle. Thriving ERM goes beyond internal controls to deal with governance, culture, strategy, and efficiency. Powerful cloud computing and cloud enterprise possibility management is integrated in just the firm to help the organization’s technique and aims, align with the society, and improve value.”

Relevant Short article: Modernizing Legacy Tech: Significant Bang or Piecemeal?

Get started With Organization Goals, Not the Technology 

The relaxation of the doc will take each individual of the 5 components of the COSO ERM Framework and explains how they relate to cloud computing, with strategies on how every of the related ideas may well be tackled.

But, and it is a large but, the authors begin with “Governance and Society.” Now I agree that is an essential matter, but you never build governance structures and procedures in advance of you recognize the pitfalls and associated processes.

They are commencing with the COSO design and plugging cloud into it, fairly than knowing what challenges (each beneficial and unfavorable) circulation from the use of cloud and only then determining what governance-relevant procedures and constructions are essential.

So, let’s depart COSO guiding and choose a far simpler technique:

1. Comprehend what the corporation is trying to achieve, its business enterprise targets.
2. Consider what may possibly happen (a phrase I considerably prefer to the 4-letter word setting up with ‘R’) that could influence the accomplishment of all those targets: the extent and likelihood of accomplishment.
3. Include things like thought of each what is wanted to go ideal (to attain enterprise business goals) and could go completely wrong.
4. Comprehend how the higher than count on or are the repercussions of the use of technological know-how. You may outline a subset of issues that require cloud computing.
5. Supplied all that, are we Alright? Is the probability of success (attaining company enterprise goals) suitable?
6. If not, what are you heading to do about it?
7. Is it best to modify processes and these kinds of that relate specially to cloud, or is there a improved way?

A single issue with setting up with a concentration on cloud, as this COSO steering does, is you could possibly close up dedicating scarce resources to a supply of nominal chance to the enterprise.

There is, as usually, more to be stated. The COSO doc can be of worth by looking at all of its in depth suggestions as meals for assumed, but I can not suggest adopting it as a framework.

I welcome your views.