The report, Enterprise Risk Management for Cloud Computing, provides a concise road map to establishing cloud computing governance by leveraging the principles of COSO’s Enterprise Risk Management—Integrating with Strategy and Performance framework, issued in 2017. It was written as the use of cloud computing has accelerated, especially because the COVID-19 pandemic has spurred a growing need for more remote and flexible work environments.

The report was commissioned by COSO and coauthored by Mike Grob, principal, and Victoria Cheng, managing director, in Crowe LLP’s Consulting Services. It offers instruction on how to use the COSO enterprise risk management (ERM) framework in thinking through evolving cloud computing risks and how to integrate cloud computing with an organization’s ERM function. The report also explains how bolstering cloud governance can help reduce an organization’s risk and allow for more efficient and effective use of cloud computing and monitoring in a multi-cloud environment.

“The speed at which cloud computing can be procured and implemented is one of its many valuable traits,” said Paul Sobel, COSO chairman. “Yet some organizations may not have had the capability to implement appropriate controls designed to mitigate the risks in their cloud environments. A structured adoption of cloud computing, including a holistic cloud computing governance program that addresses the associated risks and is incorporated into the ERM program, will enable an organization to derive the most value and enable the organization to achieve its strategic objectives.”

The new guidance is available at

About the Authors