Cloud sourcing – IT risks and rewards


29 May 2014


In the constant quest to increase efficiency and profitability, and cut costs, boards are open to new ways of thinking. IT is an area providing endless possibilities, and now, with the growing acceptance of cloud technology, it will continue to do so. But, as ISACA explains, there are a number of questions boards should ask themselves when looking to adopt cloud services.


Board members are hearing more and more from their management teams about the noteworthy business benefits of cloud computing, such as cloud strategies make the enterprise more efficient and agile; cloud computing allows delivered services to be more innovative and more competitive; and cloud computing reduces overall operating costs.

But, how confident can boards be that management plans will achieve these benefits? Is there a way to know that, even if the benefits are real, increased operational risk will not outweigh those benefits? Fortunately, by understanding what cloud is and what it is not, and by asking a few key questions of management teams, boards can gain that confidence in management plans and strategic goals, as well as in the decisions made in response to those plans.

To establish a clear direction that is aligned with enterprise strategy, members of the board need to have a clear understanding of cloud computing benefits, and how to maximise them through effective end-to-end governance practices. This requires the board to see cloud computing not as an IT project, but rather as a business technology strategy. This understanding helps to ensure that stakeholder needs are considered, and met, while risk and resource uses are optimised.

The following questions help to identify the strategic value that cloud services may provide to the enterprise, and the impact that cloud could have on enterprise resources and controls.

Do management teams have a plan for cloud computing?

The risk of cloud adoption may be inconsequential when compared with the lost opportunity to transform the enterprise with effective and strategic use of cloud computing. The loss can be particularly great when competitive enterprises take steps to leverage those same opportunities. From a strategic perspective, cloud computing can be a vehicle to:

  • gain a competitive advantage
  • reach new markets
  • improve existing products and services
  • retain existing customers
  • increase productivity
  • contain costs
  • develop products or services that would not be possible without cloud services
  • break geographic barriers.

How do current cloud plans support the enterprise's mission?

Cloud services should support efforts to achieve business objectives, which are derived from stakeholder needs - as vetted by the leadership team. Cloud initiatives should have a clear and traceable link to the enterprise strategy so that the value expected from cloud services is clearly defined, accepted and measurable. This link also helps to determine the priority assigned to cloud initiatives and supports the development of metrics to measure results against expectations.

Alignment between cloud objectives and enterprise objectives is critical for effective risk management and cost containment. The potential benefits of cloud services can be enticing, but with reward comes risk. The enterprise must decide whether the potential risk is within acceptable limits.

Have executive teams systematically evaluated organisational readiness?

Pressure points result when:

  • cloud computing implementations conflict with enterprise culture
  • skills that are required to support cloud solutions are not available
  • cloud-related processes conflict with other established processes
  • organisational structure does not maximise cloud effectiveness or efficiency.

Evaluating the readiness of the enterprise in anticipation of the adoption of cloud services avoids the need for after-the-fact culture, skill or process changes to remove unanticipated pressure points. A systematic readiness assessment can help management identify additional costs and risks that should be factored into the decision process. This readiness assessment should include the following:

  • policies and procedures: new policies and procedures that guide the adoption, management and proper use of cloud computing may be needed
  • processes: existing processes using traditional IT services may need to be re-engineered to incorporate new activities that are related to using cloud services
  • organisational structures:
    cloud management may require new organisational capabilities or modifications to existing organisational structures, particularly in IT operations and support
  • culture and behaviour: organisational culture and behaviour can be critical to the successful adoption of cloud solutions
  • skills and competency: procurement, legal, compliance and audit are some examples of functions that may need to develop necessary skills to manage cloud services from evaluation and sourcing to operations and retirement.

Have management teams considered what existing investments might be lost in their cloud planning?

Cloud computing may not be an immediate and clean fit with the existing technology portfolio of the enterprise. The adoption of a cloud service may, for example, obviate already-made technology investments that have not reached their planned end date. The decision about when and how to realise that loss must be considered carefully. Areas to consider include:

  • processes: the IT organisation may need to adapt processes such as sourcing and change management
  • culture and behaviour: cloud services may demand faster turnaround from the IT organisation, which may necessitate changes in internal processes and tools
  • services, infrastructures and applications: the enterprise may need to update data centres, software applications and network infrastructures, resulting in some level of lost investment being realised
  • skills and competencies: the IT organisation will need to either develop or acquire the skills required to support users of cloud services, if those skills do not already exist within current staffing.

Do management teams have strategies to measure and track the value of cloud return vs risk?

Before deciding to adopt cloud computing, the board should give management teams the task of ensuring that proper reporting mechanisms are in place to measure value and risk aligned with enterprise goals.

As cloud services and providers mature, more enterprises will use some form of cloud computing. Boards of directors need to provide guidance to help the enterprise realise the benefits, optimise the risk and control the cost. A good way for boards to initiate this guidance is to ask cloud-specific questions. The answers to these questions can help determine whether the enterprise is ready to adopt cloud computing, and the value created will have a positive impact on enterprise goals.

For a board to know whether cloud services will meet the expectations for cloud computing, it first needs to know expectations for cloud computing are aligned to the enterprise strategy. The first step in governing cloud computing is for the board to establish a common understanding of expected benefits and the mechanisms to track and measure them. COBIT 5 from ISACA and its related products can be used to govern and manage complex investments like cloud services. Using COBIT 5 to implement consistent practices can help to maximise value and control risk.

Excerpted with permission from ISACA's 'Cloud Governance: Questions Boards of Directors Need to Ask' 2013 © ISACA.