COSO issues road map on cloud computing ERM

The Committee of Sponsoring Organizations of the Treadway Commission issued guidance Wednesday on enterprise risk management for cloud computing to help organizations using COSO’s ERM framework improve their cloud governance.

The document offers a roadmap to implementing cloud computing and discusses various roles and responsibilities. The guide includes a structure to use the COSO ERM framework in contemplating the changing risks of cloud computing. The project was commissioned by COSO and co-authored by Crowe consulting services principal Mike Grob and managing director Victoria Cheng.

COSO is a voluntary private sector organization that formed in 1985 and is jointly sponsored by the American Accounting Association, the American Institute of CPAs, Financial Executives International , the Institute of Management Accountants, and the Institute of Internal Auditors. Its ERM and internal controls frameworks are widely used at many organizations, and the document released Wednesday aims to help companies get a better handle on the risks associated with cloud computing.

“The speed at which cloud computing can be procured and implemented is one of its many valuable traits,” said COSO chairman Paul Sobel in a statement. “However, some organizations may not have had the capability to implement appropriate controls designed to mitigate the risks in their cloud environments. A structured adoption of cloud computing, including a holistic cloud computing governance program that addresses the associated risks and is incorporated into the ERM program, will enable an organization to derive the most value and enable the organization to achieve its strategic objectives.”

Use of COSO’s ERM framework allows cloud computing to be integrated with an organization’s ERM function. The document describes how to apply the COSO ERM framework by evaluating each component along with the 20 principles to cloud computing governance.

“Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance,” Grob said in a statement. “Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with the culture, and enhance value.”

The guidance points out that organizations that haven’t yet created a cloud governance program can do it anytime and keep updating it as changes occur. By including cloud governance within a company’s cloud computing processes, the organization is better positioned to deal with risks that threaten its strategy and goals.

“Bolstering cloud governance is even more important in today’s multi-cloud environment as it will reduce the organization’s risk and allow for more efficient and effective use of cloud computing and monitoring,” Cheng said in a statement. “The cloud computing governance approach provides a holistic view of cloud computing throughout the organization.”