Risk, Compliance and Governance in
the Cloud
New delivery model brings new concerns
The journey to cloud is one that has many Chief Financial Officers
(CFOs) paying attention, and for good reason. Cloud has the
potential to bring significant business benefit through increased
agility, reduced time to market, not to mention cost savings.
Alongside these benefits lie risks as well. To best prepare the
enterprise or government for the journey to cloud, CFOs must
understand and assess these risks. The key areas of concern are:
• Governance and compliance
• Data security
• Vendor reliability and quality
Compliance in the cloud
For most large multi-national businesses, regulatory compliance,
corporate governance and risk management are areas of growing
complexity and considerable focus. For CFOs, this is arguably the
single most important area of responsibility.
The disruptive nature of cloud and its ability to change the
fundamental operating rules for IT and business can have a
significant impact on the areas of governance, compliance and
risk. Perceived risks differ depending on the cloud delivery
models, so CFOs must carefully assess how cloud services are
provisioned as well as what data, applications and processes are
moved to cloud, whether public, hybrid or private.
As cloud solutions are deployed by an enterprise or government,
CFOs may need to establish new processes and policies to ensure
that corporate compliance and governance maintain the highest
standard. In cloud, there is the potential for data to be stored
not just outside the firewall of the enterprise or government, but
also in another country or geography. So, CFOs must consider
the impact on compliance that passing data across international
borders may have.
“As a global corporation, you have to be cognizant of the laws in
every country where you operate,” says Forbes Alexander, CFO of
US-based Jabil Circuit1. “In parts of Western Europe, it is illegal to
share personal and private information. How does a law account
for you putting it off in a cloud somewhere? I don’t know enough
about that, but I suspect it’s not just as easy as flipping a switch
and putting everything out on a cloud. We’re in the early stages of
figuring all this out.”
Beyond the location of the data, cloud services can quickly
and easily be provisioned by anyone within the business. This
raises new issues around governance, so Chief Financial Officers
should review existing policies and procedures to ensure that
the provisioning of cloud services is handled in accordance with
company requirements.
Concerns about data security
Closely linked to the issue of compliance is the issue of data
security. For many CFOs and CIOs, this is the primary concern
associated with moving to a cloud-based solution provided by a
third party. Data breaches already occur, despite sophisticated
security solutions and state of the-art firewall technologies. For
many C-suite executives, the concept of storing highly sensitive
data with a third party operation, and accessing it remotely adds a
level of security risk that today, they are unwilling to contemplate.
However, a number of applications are seeing wide acceptance as
candidates for cloud, including email and customer relationship
management applications.
However, there exists the potential that cloud service providers
may have best-in class security solutions in place. As Forrester
analyst Chenxi Wang puts it in a recent report2, “Moving to a cloud
service may actually improve your security posture. Think about
it: Is it more secure to store sensitive corporate information on
end user laptops and USBs rather than in a central repository with
a cloud provider that you have thoroughly vetted?”
Careful consideration must be given to what types of data may
be shared and where it is stored. CFOs must also be cautious in
choosing which cloud vendors to trust with their company’s data.
Vetting—and trusting—vendors
The assessment of vendor reliability and quality is important in
determining which type of business applications can and should
be moved to the cloud. Most large companies will already have
policies and procedures in place to handle the selection and
management of vendors. These policies will need to be assessed
and potentially refined to include cloud vendors. This can ensure
sufficient vendor resources are in place to fully support business
applications outsourced to cloud and other long term needs for
the business. Carsten Krogsgaard Thomsen, CFO of DONG Energy
in Denmark, puts it quite simply3: “You want to be sure that
whoever provides the cloud computing is financially strong and
very solid, so that you can be sure they are also there next month.
Also, security of data is a must when using cloud computing.”
Cloud solutions are available for a wide range of business
functions and applications. Thoughtfully determining which
business applications are ready for public cloud and those that
require private or dedicated operation is an important area for
CFO and CIO collaboration. Non-mission critical applications and
less sensitive company data may be prime candidates for early
experimentation with cloud. Longer term, CIOs and CFOs should
work together to plan a roadmap to cloud—both financial and
technological—that maximizes the opportunities of cloud while
addressing the associated risks.
Call your local HP Financial Services representative now or find us
on the web at hp.com/go/hpfs_countries
1
CFO Publishing LLC: “Exploring New Models for Enterprise IT”, November 2011
2
Forrester: “Q&A Demystifying Cloud Security”, October 29, 2010
3
CFO Publishing LLC: “Exploring New Models for Enterprise IT”, November 2011

Get connected
hp.com/go/getconnected
Get the insider view on tech trends,
support alerts, and HP solutions

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and
services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors
or omissions contained herein.

4AA3-8422ENW, September 2012