Maximising cloud value: The essential role of risk and controls

Migrating to the cloud is more than just a technology change. It affects and involves senior leaders and their respective business units or functions – from Finance to Risk, from Talent to Procurement, and more. To effectively identify all cloud-related risks, it is critical to engage other disciplines and business functions at the earliest point possible. Failing to do this will result in having to “bolt on” controls later through remediation work which is both labour-intensive and costly, and which may even hamper the development of new applications.

Many organisations still struggle to promote effective collaboration and engagement between technology and business teams. By proactively engaging with management and senior stakeholders at the planning stages of their cloud journey, cloud-powered organisations improve their chances of success. In almost half of the cases, our research shows that companies are currently waiting until the design or implementation phases of their cloud transformation before engaging with leaders from other business areas. As well as delaying cloud-related benefits, this misses an opportunity to co-create flexible cloud solutions with respective controls that can meet differing needs – instead of creating a proliferation of point solutions that need rework to be realigned.

Figure 2: At which stage, if at all, in a cloud transformation project, do you start to collaborate with the leaders and/or team responsible for each of the following: 

_{Source: PwC EMEA Cloud Business Survey 2023}

Key takeaways: to enable early and successful collaboration in a cloud transformation, organisations should…

• Create an overall cloud executive leadership steering committee from day one with strong CEO sponsorship. This committee should include representatives from all the relevant functions, with different members taking the lead depending on the nature of the specific cloud risk at hand.
• Assess cloud readiness and the overall risk profile at the beginning of your cloud journey and/or before you deploy new workloads, validating the controls environment for compatibility with the chosen cloud model (public, private, or hybrid) and any industry-specific compliance requirements or regulatory standards that will impact the migration, such as the EU’s Digital Operational Resilience Act (DORA) in financial services. This means conducting a readiness assessment against relevant standards and determining which controls will be needed in both the transitional period and the target environment.
• Ensure that the cloud strategy and plans are aligned with the existing IT architecture, as well as with the organisation’s business, technology capabilities and targets. A properly designed control environment will need to take these elements into account, since cloud risks can be present across the IT estate and impact business areas across the organisation. 

Almost three-quarters – 73% – of the EMEA companies in our survey are taking a multi-cloud approach to their cloud transformation, with only 25% using one CSP exclusively for all workloads. This reflects the fact that multi-cloud offers several benefits such as higher flexibility and robustness, by enabling enterprises to choose the right CSP for each workload and select from a wide array of software-as-a-service (SaaS) providers to enable specific business processes.

However, there is also a downside: alongside the benefits, the adoption of multi-cloud introduces higher levels of complexity and risk, requiring organisations to develop a security and controls model that can be applied across different CSPs. Many companies have struggled to create such a model, since each CSP has its own approach to security and governance and uses different security tools, all of which make consistency difficult to achieve.

Key takeaways: to help equip the risk and control framework for a multi-cloud environment, organisations should… 

• Perform an overall assessment of the internal control framework of the chosen CSPs – including aspects such as risk taxonomies, control framework, approach to resilience and continuity management – prior to making (or renewing) any contractual agreement.
• Adopt strategies to facilitate the monitoring of complex multi-cloud security frameworks through “single pane of glass” solutions that bring multiple tools together. Defining technology risk in a cloud-agnostic way gives organisations the ability to mandate common controls regardless of vendor or technology stack used. Supplementing these with vendor-specific technology risks gives organisations the detail needed to define specific controls to monitor and manage risk.
• Move at the speed of the team rather than the speed of the control – replacing legacy controls with automated controls lowers the cost of compliance and improves coverage. Cloud infrastructure is shared and allocated dynamically, requiring new controls and control ownership that can keep pace with modern accelerated software engineering and platform delivery practices. By taking advantage of new cloud workflows, organisations have introduced automated controls for change, release, deployment, configuration, capacity and incident management. Combined, these reduce reliance on manual approaches and free up teams to deliver at speed while demonstrating control.
• Rigorously address network security and monitoring by implementing cloud-native security solutions that are scalable and adaptable to the dynamic nature of cloud infrastructure. These solutions can provide comprehensive insights into network traffic across both cloud and on-premises environments. A Zero Trust security model and collaboration with CSPs are integral components.
• Mitigate the risk of vendor lock-in by assessing options from a range of CSPs when procuring new products and/or services. Vendor lock-in can result in a complicated, costly, and operationally challenging transition to other provider(s) and make it more difficult to implement changes to the underlying cloud architecture or landing zone.

Cloud-powered companies tend to have stronger alliances between their C-suite colleagues across both technology and business roles, including risk functions such as 1^st and 2^nd Line of Defence. These close relationships foster early engagement and facilitate a collaborative approach to leadership and decision-making throughout the cloud transformation journey. Because risk officers ultimately oversee the effectiveness of the cloud risk and control framework, their involvement is critical from the outset. It is also important to include the 3^rd Line of Defence – Internal Audit – since the cloud transformation and implemented cloud platforms should form part of the periodic audit-testing reviews.

Figure 3: Which of the following best describes your relationship with each of these executives specifically in relation to achieving your cloud transformation goals?

_{Source: PwC EMEA Cloud Business Survey 2023}

Key takeaways: to strengthen and optimise relationships across the C-suite, organisations should…

• Ensure strong support from the Executive Leadership and Board to foster the continuous collaboration required to address cloud risk issues and prevent them from recurring.
• Make your Chief Information Security Officer (CISO) and Chief Data Officer (CDO) part of the overall Cloud Leadership to help lay the groundwork for security and privacy throughout the cloud infrastructure. Security teams and IT teams should have formal playbooks to be able to work together in securing processes and infrastructure in the cloud.
• Institute and facilitate regular discussions between the CIO, CISO, CRO and the different Lines of Defence.
• Involve the COO/Chief Product Officer and Chief Legal Officer in assessing the impact of the cloud transformation on the contractual customer commitment of both the CSP and the organisation.
• Engage the Executive Leadership in charge of the ESG strategy to ensure they understand and capitalise on the sustainability impacts and opportunities presented by cloud computing.

Regulations around the use of cloud are continually changing – including the complexity of complying with them, in particular when dealing with different regulations across several EMEA countries.  As an example, multinational organisations operating in Europe need to consider the different data privacy regulations in force across the 27 EU member states, as well as the General Data Protection Regulation (GDPR), the overarching EU data regulation. Across EMEA, the diversity of regulations is even greater.

There are also industry-specific regulations that companies must comply with. A prime example, already mentioned, is the EU’s DORA in financial services, which requires financial institutions to follow specific rules around the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. Regulations like DORA are acting as accelerators for cloud controls and cloud maturity across EMEA – mirroring the effect in the US of regimes like the Federal Risk and Authorization Management Program (FedRAMP) and Health Insurance Portability and Accountability Act (HIPAA).

Key takeaways: to keep pace with data regulation and stay in compliance with industry requirements, organisations should…

• Ensure resilience in compliance is maintained with the evolution of regulations, such as DORA incident response and operational resilience program tailored to your cloud environment
  
• Implement a comprehensive testing programme to prove the effectiveness of incident response and operational resilience capability and implement controls to monitor resilience through both small and major changes.
• Build and adopt a consistent digital data model taking into account key compliance issues as well as interfaces, maintenance facilities, and traceability.
• Define and plan the cloud solutions to adopt ahead of the migration or deploying of new workloads to ensure there is no infringement of local regulations. For example, employee analytics obtained through cloud solutions or people performance measurement based on employees’ personal data is not permitted in some territories.
• Involve the relevant C-suite (i.e. Chief Financial Officer, Chief Compliance Officer, Chief Data Officer) when issues related to regulatory risk arise.  

Based on PwC's 27th CEO survey, 70% said that GenAI will significantly change how their organisation creates, delivers and captures value in the next three years. AI has the potential to enhance productivity within enterprises – however, without data, there is no AI; and without cloud, organisations will struggle to scale AI and unlock value. Clearly, therefore, AI adoption will increase cloud adoption and influence an organisation’s cloud strategy. This could lead to the development of a multi-cloud infrastructure for access to the latest models, or rapid migration towards a single cloud provider to reduce cost.

The adoption of AI will create new vulnerabilities and could heightens existing risks in areas such as data, cybersecurity, and technology. These risks range from new threat vectors to uncontrollable cloud expenses associated with operating AI. While cloud-based AI deployment amplifies existing risks like cloud vendor lock-in, there are also new AI components to consider, such as vector databases that may store sensitive data requiring protection. Additionally, AI-specific risks such as "hallucinations" and the need to comply with new AI regulations like the EU AI Act must be considered, alongside other horizontal and sectoral regulations.

Key takeaways: Unlocking the value from AI requires a strong governance framework

Responsible AI (RAI) is an approach that promotes both risk management and value maximisation in the deployment of AI-based solutions. It involves adopting practices that ensure AI technology is aligned with ethical standards, maximises value, and mitigates risks. This dual focus enables organisations to harness the full potential of AI while being prepared for emerging regulations.

• Assess the new and heightened risks from adopting and using AI. Alongside your cloud governance framework, integrate and adapt existing controls to protect value from your AI investments.
• Consider your cloud service providers’ ethical and Responsible AI practices when selecting a third-party cloud-based AI vendor.
• Implement data and security controls on your GenAI cloud platform.
• Monitor cloud costs, as these can be exacerbated by the use of AI. Enhance your governance frameworks to effectively manage cloud resources and mitigate the risks of cloud sprawl.