Innovate with Your Head in The Clouds: Balancing Cloud Risk with Innovation


As cloud computing continues to bring about dramatic technological advances, organizations must balance the risk of not innovating with its risk appetite for cloud usage. This should begin with the establishment and maintenance of a formal cloud governance framework optimally applied before adopting cloud computing solutions from third-parties.

Many organizations are currently cultivating a technological landscape of multi-cloud1 and on-premise2 systems to make better decisions more quickly and deliver innovative services without compromising user experiences or security posture.

The benefit of cloud is that it democratizes computing consumption facilitating organizational strategies that contemplate or fine-tune approaches to data analytics, artificial intelligence, automation and other technology innovations by more quickly and efficiently harnessing enhanced computing power, rapid deployment, leading-edge functionality and data storage.

A cloud computing governance framework defines management’s desired practices, policies and controls and provides a structure of aligning technology with business strategy. By following a consistent framework, organizations can produce measurable results toward achieving their strategic goals.


Key components of a Cloud Governance Framework

Cloud Policies and Procedures – Document policies and procedures governing cloud adoption, usage, data security, contracting and vendor management, and termination to guide the organization.  Take steps to make sure the policies and procedures are being implemented properly.

Cloud Strategy – Establish a cloud strategy that encompasses cloud selection, deployment and ongoing usage that is aligned with organizational objectives and built into the IT strategy. Cloud strategy contributors should represent different organizational functions (i.e. finance, human resources, marketing, technology, operations, etc.) and have senior executive ownership and support.

Risk Assessment – Perform a risk assessment to help determine which business processes, applications, and data are cloud viable based on the organization’s risk appetite.  This should still be done even if the organization has already gone to the cloud.  Consider the following risks areas:

  • Financial reporting
  • Fraud (internal and external)
  • Cyber risk and data security
  • Operational disruption (e.g. business continuity and disaster recovery plans)
  • Outsourcing risk
  • Regulatory compliance (e.g. SOX, HIPPA, Privacy laws, etc.)
  • Reputational risk
  • Vendor lock-in (e.g. the difficulty of changing CSPs to due factors like data portability, CSP specific technology, etc.)

Internal Control – Don’t let internal control lag innovation.  Start by mapping the organization’s current controls to the cloud environment and determine if cloud risks are mitigated.  Leverage cloud risk and control frameworks such as ISACA’s COBIT 4.13 or Cloud Security Alliance’s Cloud Controls Matrix4 as a guide.  Where needed, update risk and control documentation to reflect the current cloud environment.  For unmitigated cloud risks, assess the organization’s risk appetite for each; risks can be accepted, mitigated, or monitored.

Vendor ManagementDefine ownership of the cloud vendor management program and how it incorporates into the overall risk management framework and vendor management strategy.

Data Governance – Ensure the organization has a detailed data classification to help determine which data can reside offsite and appropriate to be in the possession of cloud service providers (CSPs) and potentially their third-parties.


Now What?

Wondering where to start?  Begin the cloud governance journey by identifying an executive sponsor and establishing a cross functional implementation team to plan, design, implement, manage and continuously monitor and enhance the cloud governance framework.  Secondly, define critical success factors to measure the team’s success and to continually fine-tune the framework and strategy needed to drive cloud governance effectiveness.



1Multi-Cloud – Multi-cloud refers to an organization that uses two or more cloud service providers.
2On-Premise – Technology and software owned by the organization and located within the physical bounds of an organization, e.g. the organization’s data center.
3ISACA’s COBIT 4.1 – ISACA is a global association that engages in the development, adoption, and use of globally accepted knowledge and practices for information systems.
ISACA created COBIT which stands for Control Objectives for Information and Related Technologies, a framework for IT management and governance.
4Cloud Security Alliance’s Cloud Controls Matrix – Fundamental security principles to in assessing the overall security risk of a cloud provider.
Enterprise Blockchain: Invest or Wait and See? A Perspective.
The Growth and Evolution of Robotic Process Automation (RPA)
Related Posts
A SPACtacular Alternative to a Traditional IPO
A SPACtacular Alternative to a Traditional IPO
Determining Organizational Maturity through Cybersecurity Policies and Structure
Determining Organizational Maturity through Cybersecurity Policies and Structure
Assessing Cybersecurity During M&A Due Diligence
Assessing Cybersecurity During M&A Due Diligence