The Edge of Risk Menu Search
New thinking on corporate risk and resilience in the global economy.

Cloud Computing Is a Board-Level Strategic Issue

Visiting Fellow at Macquarie University Applied Finance Center and Member of the Macquarie University/Optus Cybersecurity Hub at Macquarie University

Cloud computing is both old and new. The availability of on-demand computing power is as old as the “time-sharing” concept of the 1970s and “remote data storage” that was developed in the 1980s, mainly to secure data off-site in case of a disaster. The outsourcing of hardware and software to third parties became a valid computing strategy for businesses in the 1990s. But in the last decade, the emergence of faster and smaller computers, high-density data storage and very fast and ubiquitous fiber optic networks has changed the economic equation that governed the placement of computer capabilities in the past.

Asia may have been a bit slower to get off the blocks, but Asian businesses have now joined the race.

Cloud computing, or the provision of access to computer power and/or data without having to have detailed knowledge of its location, is a logical extension of the long-standing concept of “virtualization.” For example, is a virtual address, and to access technical news, a reader does not have to know where the computers running BRINK’s website are. That is resolved, when needed, by a huge network of computers in the Internet Domain Name System.

But cloud computing is also relatively new—particularly in Asia—and as a result, what has been called the “hyper-convergence” of advances in computing, data and networks, also signals a fundamental change to how technology will, in future, support the strategic objectives of a firm.

Today, IT departments are experimenting with moving some of their business applications or databases onto a “public” or “private” cloud, which is provided by a new breed of technology suppliers, such as Amazon, Google or Alibaba, or by old hands at computing, such as Microsoft or IBM. These cloud suppliers claim to be able to provide access to additional computing or data storage on demand, or at least in rapid fashion, and certainly faster than the traditional model of purchasing additional computers. This business model is all about flexibility and (possibly) cost savings.

Risks and Benefits

The vision of cloud computing is extremely enticing for accountants and IT managers. Just move all of our expensive hardware to the cloud, they say, and we will be able to get rid of our huge, expensive data centers and, with a bit of luck, some of our costly staff as well. Though there is a modicum of truth in that vision, it is far from the whole story.

The real story is not about cost savings but about enabling businesses to do things that were not possible before. And there is a second story about the new types of business risks that are created by adopting cloud computing. One major class of risks that is turbocharged in a cloud environment is cyber risks. For instance, an early adopter of cloud computing, the small UK bank Tesco, was the victim of a “monster cyberattack.”

Traditionally, because computers were large, expensive and had to be housed in special data centers, IT purchase decisions were somewhat disconnected from business strategy. Purchases of computers and data centers were considered capital expenses, the costs of which had to be recovered from business savings over a prolonged period (typically 3-5 years). In that process, the chief information officer had to guesstimate what might be needed in the future and propose some very expensive IT purchases ahead of time. But more importantly, for directors, IT has been considered an afterthought—a detail left to be sorted out by technicians.

Cloud computing is a supercharged form of outsourcing, entailing all the risks of traditional outsourcing and more.

But what if IT capabilities could be switched on and off when needed? This is the vision of cloud computing. What if the firm went into a new market and supporting technology could be “switched on” from day one? What if the venture didn’t work; could we then just get rid of the computing costs in the same way as we lay off staff? In theory, with cloud computing, yes.

This changes the dynamics of IT costs, which become an operational, rather than a capital, expense.

This seemingly mediocre change in how IT is accounted for, means that when making strategic decisions, board members will be forced, in future, to consider what type of computing capabilities they will need because that is now an integral part of the strategic cost-benefit analysis. In fact, when products and services are supplied to customers through technology rather than face to face contacts, technology is the strategy.

In turn, this means that directors in future must have a deep understanding of technology capabilities to make better (even adequate) strategic decisions. And if they don’t, more tech-savvy competitors can beat them to market with better products at a lower cost.

But there are some new and potentially devastating risks in this new world.

Risks in the ‘New World’

First, if directors do not realize that they are operating in a new paradigm, then their strategies will fail to achieve their business objectives as nimbler competitors will beat them to market, again and again. This is known as strategic technology governance risk, or a failure to put in place the correct governance structures to manage the strategic impacts of technology.

Additionally, cloud computing is like traditional outsourcing but supercharged, and hence creates all the risks that firms have experienced in the past with outsourcing, and more. For example, which cloud provider? Today, the choice might be obvious—for example, Amazon, Alibaba or Google, because they have thousands of computers and millions of terabytes of data available in their data centers, and they are very successful companies.

But will Amazon or Alibaba be in the cloud business five or 10 years from now, just when a new strategy is about to come into its profitable phase? It is not a reflection on either of these great companies to suggest they might not. These companies are in the business of cloud computing not as their main business but as a way of making marginal profits on unused resources. But if those resources need to be used to support their core business or if the marginal profits do not cover their costs, or importantly their increasing risks, economics would dictate that they exit, or spin off their cloud businesses, which would dramatically change the risk/return equation.

Of the myriad of other strategic technology risks in cloud computing, one other is important. Handing over control of vital resources to a cloud provider may create additional options with respect to strategic flexibility, but it also creates additional complexity, which increases operational risks. The most obvious problem is with a firm’s core systems, which for most firms have been built on old hardware running old software. It is extremely unlikely, because they are old, that they could be moved easily to new technology (or they would have been moved before). So, the most likely situation is one where parts of a firm’s core systems will be migrated to the cloud. But that move increases complexity because the parts in the cloud are no longer under the firm’s control, and if something goes wrong, recovery from problems will be that much more complex and risky.

Going Forward

According to the latest annual Cloud Readiness Index, produced by the Asia Cloud Computing Association, Asian economies are well-placed to take advantage of the potential benefits of cloud computing.

However, the risks and opportunities of cloud computing are so new and potentially so large that decisions can only be made at the strategic level and cannot be outsourced to technologists or third-party providers. Boards will have to step up to the plate to drive cloud strategy, or competitors will.

Pat McConnell

Visiting Fellow at Macquarie University Applied Finance Center and Member of the Macquarie University/Optus Cybersecurity Hub at Macquarie University

Pat McConnell is also a visiting lecturer at Trinity College, Dublin, a fellow of the British Computer Society and a member of the IEEE. He has over 35 years’ experience in information technology and risk management and has been employed by, and consulted to, major banks and corporations in the U.S., Europe and Australia. He has also consulted to the Australian government as a risk management expert. He has been published widely in risk journals; his most recent book is Strategic Technology Risk.

For optimal delivery, please select your region:
Please enter a valid email address.
Success! Thank you for signing up.