Risk governance of digital transformation: guide for risk, compliance & audit teams
Phil Venables
VP, TI Security & CISO, Google Cloud
Nick Godfrey
Senior Director, Office of the CISO, Google Cloud
The ongoing shift toward cloud technologies has transformed industries and continues to accelerate. This has created new challenges and opportunities for Chief Risk Officers, Chief Compliance Officers, Heads of Internal Audit and their teams. As their organizations pursue newfound agility, quality improvements to their products and services, and relevance in the marketplace, executives and their teams rightfully prioritize a safe, secure and compliant adoption process for this new technological environment.
All technological transformations this broad in scope require an adjustment to the risk, compliance and audit practices that ensure they’re safely managed. But we shouldn’t assume that adopting cloud computing means there is more risk to manage, or that it will result in a net increase in risk at all. Cloud is as much a means of managing your security, resilience and other risks as it is a risk in its own right. Independent Risk, Compliance and Audit teams are positioned to add immense strategic value to enterprises, both by charting a course to the safe use of cloud technology and by reducing risk through the use of the cloud.
Our new whitepaper aims to help you achieve those benefits, acting as a guide to the transformational activities that will take place within your organization. The processes we describe in the paper can help you understand what this transformation means for risk, compliance, and audit functions, and how to best position those programs for success in the cloud world.
There are many detailed considerations for each of the functions involved in a successful transformation, so we propose that the following principles, adopted in four core phases, should be your guide and reference when navigating the journey.
Set the cornerstones: establish a common understanding and the key principles that will shape the intent and approach of the organization’s transformation over time.
Build a common understanding. A successful digital transformation requires the orchestration of organizational, cultural, technical and procedural changes. A common and shared understanding of terminology and approaches provides a reference model for those involved in planning and executing across all lines of defense.
Think long term, but act iteratively. Mature your risk and control approach as you go. Delaying your digital transformation to build “perfection” from day 1 is unlikely to be practical but also can be ill-advised from a risk perspective as engagement and maturing through learning will yield a better process in the long run.
Prioritize organizational readiness. Ensure that assessing and enhancing capabilities and skills, and implementing the right organizational structures and operating models are prioritized. Initially this may take the form of dedicated teams, but longer term will require a more holistic approach.
Implement dedicated, but integrated, governance. Establish an overall transformation program oversight approach (e.g., council or committee) and a program office with the relevant leadership oversight. Ensure your technology, operational and security risk governance is acting as a check and balance to the program governance.
Manage the initial phases: implement structures and apparatus that allow the organization to safely conduct initial migrations to the cloud.
Define initial minimum security and configuration standards. Make sure security and other configuration standards, and principles, are developed and updated in light of new work. There should be a clear definition of the minimum standards that apply to a given class of workload (based on criticality of data or business service) during the initial phases.
Define initial risk and compliance oversight. Establish initial risk monitoring frameworks and constantly iterate based on experience and learning - these should include specific metrics and associated thresholds or limits. Leverage independent expertise and testing to validate designs and projects, particularly in initial phases.
Communicate with boards and regulators. The first line of defense should proactively demonstrate to the board of directors, and separately to regulators, that the organization has the appropriate risk management in place. Risk, compliance and audit functions should provide an independent perspective on the degree of controls and adherence to risk tolerances.
Training and skills development. Make sure that the organization has a comprehensive training plan tailored for all staff to develop deeper expertise in cloud technologies, to ensure the safe future transition of responsibility and execution from small dedicated teams to the wider organization.
Mature and accelerate: adjust control and governance structures to enable accelerated adoption of cloud, by increasing control rigor and oversight, and right-sizing governance in parallel.
Develop comprehensive security and configuration standards. Require that there are explicit policies, standards and frameworks for how cloud deployments are to be undertaken and how such standards are to be adhered to. This should enable ‘classes of workloads’ to be developed and deployed, rather than just single projects.
Modernize IT delivery. Determine how technology and business units are preparing to progressively modernize the software development life cycle in order to take advantage of, and sustain, the security risk mitigation capabilities of the cloud. Embed the security and configuration standards into the life cycle and its tooling.
Mainstream risk oversight. Update risk and control taxonomies (risks, controls, impacts) to reflect the organization’s maturing use of the cloud. Adjust oversight processes, such as Risk and Control Self Assessment, in particular to take account of changed responsibility and accountability models, including those of the cloud provider.
Extend continuous control monitoring. When deploying technology in the cloud more of your controls can be expressed as code or otherwise systematized. Leverage this property of cloud to continuously monitor key controls, to assure the controls remain deployed, active where expected and performing in line with stated objectives.
The new steady state: adapt to broad usage by embedding cloud into all relevant risk programs and governance, and by implementing processes to maintain currency with cloud best practice.
Interconnect cloud with other risk programs. Oversee adjustments in connected risk programs, for example in third-party risk assessment and resilience programs, to reflect the use of cloud by the organization to deliver technology, but also to take advantage of reduced risk and increased transparency in cloud services.
Drive continuous improvement cycles. Measure the organization’s ability to continuously improve. Are controls continuously monitored, leveraging the systematic technology and security controls of cloud? Are architectures periodically enhanced, to enable controls that were previously deemed unworkable? Are new cloud provider features being used?
Stay current with cloud best practices, and constantly revalidate assumptions. Adjust regulatory and standards monitoring regimes in order to identify and respond to changes to external cloud requirements and best practices. Amend scenario planning processes designed to examine tail risks in light of these, and as your organization's use of cloud evolves.
Manage legacy in parallel. Ensure that the risk and governance apparatus continues to focus appropriately on existing technology, and that decision making regarding maintenance, upgrades and other day-to-day management is consistent with the ongoing safe operation of legacy systems.
The risk, compliance and audit functions play a key role in leading your company through a complex digital transformation and enabling the benefits of cloud technologies. These teams guide and shape a whole raft of changes to the ways technology, security, resilience and other operational risks are managed. That journey can be made easier with the recommendations throughout this whitepaper, which come from Google’s years of leading and innovating in cloud security and risk management, in addition to the experience that Google Cloud experts have gained from their previous roles in risk and control functions in large enterprises We are excited to collaborate with you on the risk governance of your cloud transformation.