In the past number 4 of ISACA Journal, the article "Managing Cloud Risk. Top Considerations for Business Leaders" written by Phil Zongo was published. Among other references, the article echoes of a document from Australian Prudential and Regulatory Authority (APRA) that raises a concern about the reporting to Board of Directors of cloud risks in regulated entities because it focuses on benefits forgetting about associated risks. For APRA, it is fundammental that BoD analyzes if the risk is alligned with business strategy and risk appetite in the Organization.
This balance between cloud risk and risk appetite needs to take into consideration information like:
Apart from the first four ones, that are description elements of cloud services, the last ones can be showed by the rating label, as an element that could be used for showing to the Board of Director the risk that the Organization is taking for using specific services, i.e.,:
As we can see, using rating system allows to inform in a simple, efficent and independent way to the Board about the risks taken in relation to cloud services that are being used by the Organization.