• <acronym id="jatpo"></acronym>
    <p id="jatpo"></p>

    1. <table id="jatpo"><option id="jatpo"></option></table>
      <acronym id="jatpo"><meter id="jatpo"></meter></acronym><track id="jatpo"><strike id="jatpo"><tt id="jatpo"></tt></strike></track>
    2. 30 September 2021 Open with your browser  

      COSO: Adopting Enterprise Risk Management Framework with a cloud computing environment

      Written by: Mr. Jimmy Lau – Risk Consultant

      Since the first introduction of cloud computing, the cloud has grown and expanded. Based on the global pandemic and the need for remote work, the expansion of cloud computing has become faster and accelerated the implementation timeline for many organizations. In November 2020, Gartner, a global research and advisory firm providing information, advice, and tools for leaders in IT, reported worldwide public cloud service revenue was $243 billion in 2019; estimated a 6% increase to $258 billion in 2020; and projected an 18% increase to $305 billion in 2021. These represent a 3% increase in 2020 estimates and a 5.5% increase in 2021 estimates a year and a half later.

      The speed at which cloud computing can be procured and implemented is one of its many valuable traits. However, facing the inertia of accelerated access to cloud-based capabilities, some organizations may not have had the capacity to implement appropriate controls designed to mitigate the risks in their cloud environments.

      Framework to be adopted
      The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework (2013) and Enterprise Risk Management – Integrating with Strategy and Performance framework (2017) provide a comprehensive foundation for governance and control of cloud computing and cloud security. The COSO Enterprise Risk Management (ERM) framework provides a construct for organizations to establish governance, identify and respond to risks, monitor performance, maintain communications, and adjust as there are changes to the organization or its business objectives, or to the industry or its environment. The COSO Internal Control framework also provides a tool to use, typically in the performance component of the COSO ERM framework, to assess risks and risk responses.

      Enterprise risk management with a cloud computing environment
      An organization’s management is responsible for managing the risk to the organization. Management must incorporate the board and key stakeholders into the ERM program to ensure risk management is considered when setting up the organization’s strategy and business objectives. Effective ERM involves multiple departments and functions; it should be integrated into the organizational strategy and embedded into its culture. Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with the culture and enhance value.

      Set of principles organized into five interrelated components and its example(s)
      Component 1: Governance and Culture
      Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.

      Example for Application
      Creating a cloud-aware culture throughout the organization is necessary to implement governance consistently in the organization. The management shall set the tone for cloud culture, usage, data privacy, data security, and network security. Cloud computing can be used in any department within an organization; therefore, all personnel should understand their roles and the corporate risks associated with cloud computing. A cloud computing lens needs to be integrated into cross-functional planning processes to ensure transparency. Regarding cloud computing as part of the overall strategy, rather than finding independent solutions to meet business needs, is essential for a good cloud governance model. Defining responsible individuals demonstrates the organization’s commitment to core values.

      Component 2: Strategy and Objective-Setting
      Enterprise risk management, strategy, and objective-setting work together in the strategic planning process. A risk appetite should be established and aligned with strategy; business objectives put a strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

      Example for Application
      While cloud computing offers ease of entry and quick changes, before migrating to the cloud, organizations should formally define their overall cloud computing strategy and the goals of migrating to the cloud. There are many reasons for migrating part or all of the IT environment to the cloud, but to obtain benefits and value, IT organizations must work with business functions to understand goals and strategies and create cloud computing strategies that support the business. This cloud strategy should be reviewed by management and other stakeholders (such as board members) to assess other impacts and directions.

      Component 3: Performance
      Risks that may impact the achievement of strategy and business objectives should be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.

      Example for Application
      Priority should be given to cloud computing risks and their severity should be assessed. The assessment can be qualitative and quantitative and organizations should consider the impact of risks and the likelihood of risks. In addition, it should be evaluated for different types of data at multiple points in time and across the organization. For example, the same risk, user access, may have different severity depending on what the cloud application is and what the cloud deployment and delivery model is such as the difference between a custom application managed on a private Infrastructure as a Service (IaaS) cloud versus a public Software as a Service (SaaS) application managed by a cloud service provider (“CSP”) with an underlying Platform as a service (“PaaS”) CSP supporting it.

      Component 4: Review and Revision
      By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.

      Example for Application
      Technology continues to advance in cloud computing. These advancements have added additional options for cloud security and migration, and organizations need to periodically evaluate these options to understand how these options may affect business goals and their ability to create additional value for the organization.

      Component 5: Information, Communication, and Reporting
      Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

      Example for Application
      A key component of good governance is clear communication and reporting. Without current information provided to the appropriate individuals, suitable decisions cannot be made. Information should be reported and transparent between all appropriate parts of the cloud computing governance plan. Open communication and data sharing ensure that all parties understand the latest impact on risks and risk responses. It also promotes a shared and comprehensive risk management culture within the organization, in which all departments are involved and accountable.

      Cloud computing is one of many technology options available for organizations to utilize. A structured adoption of cloud computing, including a holistic cloud computing governance program that addresses the associated risks and is incorporated into the ERM program, will enable an organization to derive the most value and enable organization to achieve its strategic objectives.

      Mike Grob & Victoria Cheng (July 2021). Enterprise Risk Management for Cloud Computing. Committee of Sponsoring Organizations of the Treadway Commission (COSO).

      If there are any aspects which we may assist, please do not hesitate to contact:

      Partner - Ms. Gloria So
      gloria.so@shinewing.hk (Tel. 3583 8517)


      Contact Us

      ShineWing Hong Kong
      43/F, Lee Garden One,
      33 Hysan Avenue
      Causeway Bay,
      Hong Kong

      T. (852) 3583 8000
      F. (852) 3583 8001
      W. www.iplusc.net
      E. info@shinewing.hk


      About ShineWing

      ShineWing is a premier provider of professional services, specialising in audit, tax and advisory services. Present in China, ShineWing has domestic offices which are spread across the major cities, including Beijing, Shenzhen, Chengdu, Shanghai, Xi’an, Tianjin, Qingdao, Changsha, Changchun, Yinchuan, Jinan, Dalian, Kunming, Guangzhou, Fuzhou, Nanjing, Urumqi, Wuhan, Hangzhou, Taiyuan, Chongqing, Nanning, Hefei, Zhengzhou, Suzhou and Xiamen. Other member firms include Hong Kong, Singapore, Australia, Japan, Pakistan, Egypt, Malaysia, United Kingdom, Indonesia, India, Thailand, Taiwan, Germany, Turkey and Macau. Today, ShineWing employs over 10,000 staff. With our extensive network, we are able to leverage fellow members’ expertise and geographical presence and enhance our ability to serve the dynamic needs of transnational clients.


      ? 2021 ShineWing Hong Kong. All rights reserved.

      The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.


      Home | Open in browser | Unsubscribe