The role of the board of directors in Enterprise Risk Management (ERM) is changing significantly and becomes increasingly challenging due to major trends like cloud migration or big data, as well as initiative in mobile computing such as Bring-Your-Own-Devices (BYOD).
The board of directors and senior management have to re-think periodically their ERM approaches, concepts, techniques and tools to meet new business objectives and to achieve processes enhancements.
Adopting a structured approach to ERM by using industry best practices such as COBIT, COSO, ISO 31000, ITSM/ITIL, etc. provides a vital instrument to develop a common language that builds a "community of purpose" between operations and strategic business, and facilitates the discussion across the organisation.
Cloud computing in particular impacts the full bandwidth of financial risks, infrastructure risks, market risks as well as reputational risks. In the latest paper published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) - titled Enterprise Risk Management for Cloud Computing - I read the following: "The more educated executives become about the risks and benefits of cloud computing, the more effectively they will be able to prepare their organizations for the future." I couldn't agree more. This is all about the effectiveness on business harmonisation and communication of agendas, priorities, decision making and responsibilities.
Of course, One Size Fits None. The recommendations of ERM frameworks are not the one and only way for an embracing strategy. Each organisation must develop its own approach and strategy to ERM, not just copy what others do.
Unfortunately many organisations don't know where to start. If you feel the same, I would recommend to start reading the COSO thought paper that I mentioned above. A key guidance in this document is chapter 6 about "Recommended Risk Responses for Cloud Computing". This chapter elaborates on recommended risk responses for some of the most siginificant cloud-related risks:
|Unauthorized cloud activity||Cloud policies and controls|
|Lack of transparency||Assessments of the Cloud Service Provider (CSP) control environment (see also my blog article One Size Fits None)|
|Security, compliance, data leakage, and data jurisdiction||Data classification policies and processes|
|Transparency and relinquishing direct control||Management oversight and operations monitoring controls|
|Reliability, performance, high-value cyber-attack target||Incident management|
|Noncompliance with regulations||Monitoring of the external environment|
|Vendor lock-in||Preparation of an exit strategy|
|Noncompliance with disclosure requirements||New disclosures in financial reporting|
An effective governance, risk and compliance program depends on a deep and solid understanding of the risk itself, and the mitigation or acceptance strategies attached to it. This thought paper gives you a good start to understand the most significant risks and to build an appropriate response to it. The paper concludes with the following sentence: "By being aware of the risks and other issues related to cloud computing, executives are more likely to achieve their organization’s objectives as they manage the risks in this dynamic and evolving environment that likely will become the most popular computing model of the future."
In addition, Symantec solutions like Symantec Control Compliance Suite helps you address these challenges by providing a solid framework on which to build your IT Governance, Risk, and Compliance program. It allows you to communicate IT risk in business-relevant terms, prioritize remediation efforts based on a composite view of risk, and automate assessment processes to improve your overall security and compliance posture. Other solutions like Discovery, Retention Management and Data Loss Prevention provide data classification, enforcement of retention policies, and discovery, monitoring, and protection of confidential data wherever it is stored or used. Also many organisations around the world rely already on Symantec Managed Security Services to build and sustain a resilient incident management program.