Fitting IT-Related Risk Into Broader Business Objectives – CMSWire

PHOTO:Benjamin Suter | unsplash

Theres a new COSO preacher in town. Are they a threat or an enabler of a peaceful and safe community? Should we embrace them and listen to their advice?

COSO's "Enterprise Risk Management for Cloud Computing" is an interesting document. I am not a fan, but if you are in IT or responsible for addressing IT-related risk, you might find it of some interest.

It starts reasonably well: "Leveraging cloud computing in some industries may have been a strategic advantage at one point. What the pandemic brought to light was the need for more remote and flexible work environments and the IT infrastructure to support the organization in that effort. Utilizing cloud computing has become an essential element to compete in the marketplace.

"The speed at which cloud computing can be procured and implemented is one of its many valuable traits. However, facing the inertia of accelerated access to cloud based capabilities, some organizations may not have had the capacity to implement appropriate controls designed to mitigate the risks in their cloud environments."

Lets acknowledge, though, that cloud computing is not new. It has been with us for many years.

I am (just) old enough to remember some of the first database systems. I was a manager with a major public accounting firm, responsible for the technical IT audit approach, when I heard Tom Gilb address the British Computer Society.

Tom shared his experiences helping a major Swedish car company implement an integrated set of applications using one of the first database management systems from IBM on their newest and most powerful mainframes. He told us he was often asked about the differences in deploying database vs. traditional systems. His answer was: Its just another file structure.

In many ways, cloud is similarly a simple evolution rather than a gigantic leap. Many of the issues related to managing a traditional outsourced computing system continue in a cloud environment. There are a few more challenges, but not so many that IMHO justify a publication from COSO specifically on cloud computing.

COSO would have done better if they had simply shared their thoughts on integrating IT-related risk into enterprise risk and performance (or success) management. (Actually, they would have done better to read and build on my book, "Making Business Sense of Technology Risk").

They get this right: "An organizations management is responsible for managing the risk to the organization. Management must incorporate the board and key stakeholders into the ERM program so that risk management is integrated with the organizations strategy and business objectives. Effective ERM involves multiple departments and functions; it should be integrated into the strategy of the organization and embedded into its culture. Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organizations strategy and objectives, align with the culture, and enhance value."

Related Article:Modernizing Legacy Tech: Big Bang or Piecemeal?

The rest of the document takes each of the five components of the COSO ERM Framework and explains how they relate to cloud computing, with suggestions on how each of the related principles might be addressed.

But, and it is a huge but, the authors start with "Governance and Culture." Now I agree that is an important topic, but you dont establish governance structures and processes before you understand the risks and related processes.

They are starting with the COSO model and plugging cloud into it, rather than understanding what risks (both positive and negative) flow from the use of cloud and only then determining what governance-related processes and structures are needed.

So, lets leave COSO behind and take a far simpler approach:

One concern with starting with a focus on cloud, as this COSO guidance does, is you might end up dedicating scarce resources to a source of minimal risk to the enterprise.

There is, as always, more to be said. The COSO document can be of value by considering all of its detailed suggestions as food for thought, but I cannot recommend adopting it as a framework.

I welcome your thoughts.

Norman Marks, CPA, CRMA is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.

Continue reading here:

Fitting IT-Related Risk Into Broader Business Objectives - CMSWire