1 Why is governance important?

The mission of the Organisation for Economic Co-operation and Development (OECD) is to promote policies that will improve the economic and social well-being of people around the world. The OECD works to advance these causes, throughout its 34 member nations, through various means including corporate governance. To this end, the OECD has produced guidelines for and reporting of corporate governance.¹

The OECD defines corporate governance as “Procedures and processes according to which an organization is directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among the different participants in the organization—such as the board, managers, shareholders and other stakeholders— and lays down the rules and procedures for decision-making.”²

So why is governance important? As the OECD has stated, governance defines the rules and procedures for decision making and ensuring oversight of operations. As business operations are moved to cloud service providers (CSPs), the decision-making process can become (for lack of a better word) cloudy. Oversight of operations can become difficult. How do customers, their boards, managers, shareholders, and other stakeholders ensure that their business requirements and interests are adequately met? Unless the risk is also outsourced (e.g., insurance), the responsibility still remains with the customer.

Boards are hearing much about the benefits of cloud computing—lower cost, higher efficiency, faster innovation, and implementation. These are some of the potential benefits depending on strategy and implementation. A full discussion of these potential benefits will not be included in this chapter. For the purpose of this chapter, it is assumed that the enterprise is considering an external cloud provider. Also, for the purpose of this chapter, the word “enterprise” will refer to the organization, or customer, seeking services from a CSP.

2 What are the questions that boards should be asking?

There are questions that boards, to whom the responsibility for the overall governance falls, as well as managers, shareholders, and other stakeholders should be asking. These questions apply to both for-profit and non-profit enterprises. Ideally, these questions should be asked before the transition of operations to cloud services. With the exuberance of something new and exciting, these questions may be ignored or set aside. The answers can determine the readiness of an enterprise in implementing a cloud technology solution and whether that enterprise can be comfortable with the governance and operations of the cloud provider.

These questions may be simple but do require an extensive review of the internal structure of an enterprise.³ Here is a brief discussion of some of these questions:

• Is there a plan for cloud computing and does that plan include benefits as well as risks?

There are potential benefits to implementing a cloud technology solution. These include competitive advantage by bringing new or improved products faster to market (faster development to deployment time), increasing productivity, containing costs. All of these should not be overlooked. If effectively implemented, cloud technology adoption may be worth the risks when compared to opportunity costs of transforming the customer’s enterprise.

What operations will be transitioned to a CSP? Is there an opportunity cost to outsourcing critical operations? An enterprise should consider the potential loss of knowledge (technical and business) if moving to a CSP. Is there a business continuity plan in case of disruption?

• Does these plans support the enterprise’s strategy?

It is not enough to implement cloud technology. How will the solution support the enterprise? What objectives are to be achieved by implementing a cloud technology solution? Careful consideration should be given to tie the objectives of cloud technology implementation to specific goals of the enterprise’s strategy.

• Is the enterprise ready for such a transition?

Does the enterprise have the appropriate staffing to develop and manage cloud services? The expectation will be that the CSP will be hosting services. However, those services will need to be managed. Contracts and service level agreements (SLAs) will have to be negotiated. Terms and conditions will have to be understood and adhered to by the enterprise. If the CSP does not meet the enterprise’s needs, the remaining needs will have to be undertaken by the enterprise.

Does the enterprise understand the effort to transition to a cloud technology? Cloud technology has the potential to disrupt an enterprise’s operations and culture. An enterprise with a centralized structure may not be adequately ready for potentially decentralizing their operations and functions. Also, an enterprise may have to consider adapting their change management or sourcing functions. In addition, the enterprise may have to undertake a review of their staffing skills in order to determine if they can support their own users of cloud services (e.g., access management, help desk support).

What about the enterprise’s regulatory and compliance requirements? The CSP’s data center may not be physically located in the same legal jurisdiction. They may not even be located in the same country. Several nations have their own regulations about the movement of data within and outside their borders. What are the enterprise’s responsibilities regarding compliance? What is the enterprise’s responsibility in case of a breach?

One area that is not often fully defined within organizations prior to migrating to a cloud infrastructure is data management. The issues encountered here include⁴:

• Unclear ownership—ownership is dispersed among various groups within the organization

• Undefined data meaning—incomplete or nonexistent data dictionaries which may lead to data obtained for one purpose but used for another purpose which may not be captured when loading data into a warehouse

• Inflexible data structures or legacy systems

• Ever increasing amounts of data—potential for metadata-related risk, where various sources are correlated to obtain confidential information, or data loss due to incomplete, invalid, or inconsistent practices

• Access controls—acquiring more privileges due to limited access review

What about the enterprise’s existing investments or commitments (e.g., technology, procurement, financial, etc.)?

A cloud technology solution may not be easily or immediately adopted. Current technologies or contracts may be in place with a pre-determined end date (e.g., software or services that are still supported or under contract). If it is determined that adopting a cloud technology solution is in the best interest of the enterprise, the costs of continuing existing technology may have to be included in the cost of implementation.

In addition to staffing skills that may need to be updated, the enterprise may need to consider if there are additional technology investments that need to be made (e.g., data centers, software applications, network infrastructure).

• How will the enterprise measure benefit or risk after implementing cloud technology solution?

As with any new investment and implementation, it is best to measure the value obtained or risk introduced. It is advisable to determine how the value or risk is to be measured before implementation. This is to better understand the position of the enterprise after potentially strategic changes are implemented. These measurements should be shared with the board in order to assess determine if further implementations are warranted.

One commonly used measurement is return on investment (ROI). Such calculations need not be complicated. The next section discusses one methodology.

Cloud services and providers are increasing their abilities to service their customers and many providing niche services such as storage, backup, security, and customer relations management. Therefore, more enterprises will find that cloud technology solutions will become more available. Enterprises will need their boards to provide governance in managing cloud technology solutions and realizing potential benefits while reducing risk and cost.

In order for the board to provide governance, expectations of the cloud technology solution must be aligned with the strategic initiatives of the enterprise. These expectations should also be aligned with guiding principles for using the cloud: enablement, cost benefit, enterprise risk, capability, accountability, and trust.⁵

The process of implementing a cloud technology solution will not be discussed in this chapter. However, a basic process could be defined in four steps⁶:

1. Preparation of the internal environment—principles, policies, frameworks, processes, organization structure, etc.

2. Selection of the cloud service model—determine if migration to cloud model is best solution for the enterprise and, if so, what service (e.g., SaaS, PaaS, IaaS, some combination or subset)

3. Selection of cloud deployment model—determine if a private, public, hybrid, or community cloud model is the best solution for the enterprise

4. Selection of the CSP

This chapter will not discuss in detail the various service or deployment models. For a more detailed review, the reader is urged to consult “The NIST Definition of Cloud Computing.”⁷

3 Calculating ROI

The ROI is one of several methods of estimating potential financial outcome of an investment. To calculate (simple) ROI, the investment cost is subtracted from the investment gain; the result is then divided by the investment gain and expressed as a percentage⁸:

$\mathrm{R}\mathrm{O}\mathrm{I}=\frac{\mathrm{Gain}\mathrm{from}\mathrm{Investment}-\mathrm{Cost}\mathrm{of}\mathrm{Investment}}{\mathrm{Cost}\mathrm{of}\mathrm{Investment}}$

It must be understood that this calculation does not factor in cost of funding (e.g., interest) or time value of money (e.g., the value of money in the future is less than the value of money today). An enterprise needs to define what financial calculations it would use to determine if an investment is worthy of its efforts. Also, an enterprise needs to define what is its investment timeframe horizon (e.g., 1 year, 5 years, etc.). Doing so will indicate what costs and well as gains are to be included in the financial calculations.

Despite its simplicity, the ROI calculation is a good starting point for those investments where the benefits and costs can be quantified. In implementing a cloud technology solution, there are both tangible (which can be quantified) benefits and costs and intangible (could be considered as strategic) benefits and costs. CSPs and other providers would gladly calculate these benefits and costs. The true calculation must be considered from the perspective of the enterprise.⁹

It may be easy to list the tangible benefits of a cloud implementation. There are potential benefits to be gained by cost reductions (e.g., physical hosting, labor, licensing, support, maintenance), increased productivity, scalability, and reliability. What may not be easy is defining the metrics in order to quantify these benefits.

For example, an enterprise may consider greater customer satisfaction as a benefit. This may be defined as reduced time in collaborative efforts with or reduced response time to customer inquires. After consideration, an enterprise may consider this to be an intangible benefit. As an enterprise details their cloud technology solution, addition benefits may be evident.¹⁰

Intangible benefits are those that may not be quantifiable and, therefore, may not be included in financial calculations. However, they should be considered as part of the proposal to consider a cloud technology solution. These benefits may not initially have quantitative value but may produce such values as the enterprise moves through its implementation phase and conducts business. For example, increased business opportunities (or avoidance of missed business opportunities) may not be evident initially.¹¹

One potential intangible benefit that an enterprise may consider is security risk transfer. CSP’s may be better able to prevent or mitigate security breaches or loss of data. They may also be partners in disaster recovery. However, the customer must understand that ultimate responsibility for their assets (including data), regardless of their location, rests with the customer. The enterprise is ultimately responsible for security and compliance.¹²

The ROI includes not only benefits but costs as well. These costs can be broken down into upfront, recurring, and termination costs. As with benefits, the costs must be considered over the timeframe of the investment. These costs also need to be considered from the enterprise’s perspective.¹³

It may be easier to consider the upfront or initial costs. As with implementing any new technology, there are costs for configuration and integration. As mentioned in the previous section, there are costs to be considered regarding the enterprise’s readiness. These could include training and process reevaluation.¹⁴

Recurring costs include those items that the enterprise pays on a periodic basis. These include subscription and support fees, which are usually defined in the contract and may be incurred on a per user basis. However, there are costs in monitoring the CSP’s activities and verifying that they are meeting the enterprise’s mutually agreed contract, SLAs, and other operating procedures.¹⁵ This is where the governance of the enterprise can dictate the level of review.

The costs due to termination of a contract may not always be considered as part of the cost of investment. These costs are incurred when services are either transferred to another provider or reverted into the enterprise’s internal operations. In some cases, this transition may be due to changes in regulations or economics. It may also be due to changes in the enterprise’s business operations.¹⁶

Regardless of the causes, considerations should be given for these costs. Once assets are placed in the cloud, extraction and validation from cloud storage or processing hardware will be necessary. This may also require reconfiguration or reprovisioning of systems, recruitment of staff resources, and early termination fees. A customer may consider including costs due to running dual processes as data and systems are being transferred and confirmed.¹⁷

Once an enterprise has determined that the investment is necessary, the need to verify operations in a cloud technology solution may be required. There are a number of regulations, such as Sarbanes-Oxley in the United States, that require enterprises to verify controls are in place and working effectively. The following section describes a methodology to audit a cloud technology solution.

5 Conclusion

A successful implementation of cloud technology depends upon the relationship between the enterprise and the CSP. That relationship starts with an understanding of the governance structures of both parties. This understanding can start with the enterprise asking questions of how the cloud technology solution is to benefit the enterprise’s strategic goals and how the enterprise is ready for such a transition. A calculation of the investment from the enterprise’s perspective can provide a starting point of the benefits as well as the costs of a cloud technology implementation.

Even prior to an implementation, an enterprise could consider reviewing the operations of a potential CSP. Such a review could include available policies and procedures as well as third-party reports. Regulatory and compliance requirements of both parties should be understood prior to services being conducted. This is particularly important in industries with multiple regulatory bodies or where there is a potential for trans-border data flows. It is important to note that cloud technology development should be integrated into the enterprise’s change management process. Monitoring and incident reporting should also be integrated into an enterprise’s processes.

Finally, the breadth and depth of a review of the implementation of a cloud technology can be broad. The level of review needs to be defined by the enterprise’s governance requirements and agreements with the CSP.