Legal Matters Consul’s latest EMEA Cloud Business Survey reveals that “cloud-powered” companies outperform other businesses by a significant margin on a number of key aspects. These include revenue growth, productivity, the ability to respond to cyber threats, and faster recovery from incidents. But what really sets these cloud-powered pioneers apart from the rest?
Our analysis shows these pioneers share several distinctive traits. One of the most striking aspects is that they assign much higher importance than other organisations to the adherence of their cloud governance and internal control framework.
As a result, these companies are taking a more mature approach to cloud transformation, including involving a wider range of functions across the business; adopting leading practices in cloud controls; forging stronger and closer relationships across all C-suite executives to facilitate collaboration around cloud; and making more effective use of automation and artificial intelligence (AI). These approaches are key to obtain and deliver a higher realisation of sustainable value from cloud technologies.
While the benefits deriving from cloud are evident, the downside of failing to focus sufficiently on cloud risks and controls is equally clear and common. Aside from undermining value creation from cloud, it increases the risks of cybersecurity breaches, business interruption, regulatory violations and budget overruns. Organisations that recognise the need to evolve traditional risk and control frameworks as part of their cloud journey achieve benefits such as a reduction in the time it takes to manage compliance, wider control coverage and improved responsiveness to business demand and change.
To help organisations develop and maintain this focus, we have identified six points that support the existence and the importance of cloud risks and controls being embedded in a control framework. For each point described below we have developed a set of related actions which can be taken to strengthen cloud governance.
"An effective cloud control framework is no longer an option... but a crucial tool in the cloud transformation journey to improve governance, data security, operational resilience and business continuity throughout a period of change and uncertainty of an organisation."
Our research reveals a direct correlation between an organisation’s overall cloud maturity and the maturity of its cloud governance. The vast majority of cloud-powered companies have implemented formal controls to enhance operational efficiency, supported by a common control framework tailored to new cloud services, and have documented their shared responsibilities with their cloud service providers (CSPs). Crucially, most have also allocated ownership of cloud-related controls for governance, risk and compliance to a single business function with its own dedicated resources.
The business payback from taking these steps is clear and unambiguous. An overwhelming 83% of cloud-powered businesses in EMEA have increased their revenue over the past six to nine months (compared with 67% of other businesses), and 89% expect to increase their revenue over the next 12 months (compared with 78% of others). Additionally, 60% have implemented an enterprise-wide transformation, compared with 42% of others.
That said, almost all businesses still have opportunities to make further improvements in adopting leading practices in cloud governance, risk and controls. Tellingly, around 1/3 of cloud-powered companies and three-quarters of non-cloud powered companies have yet to implement cloud-specific controls. This is an area that deserves specific focus in cloud to ensure negative consequences are minimised and controlled.
Figure 1: How would you assess the maturity of your organisation’s cloud controls across the following areas?
Source: LMC EMEA Cloud Business Survey 2023
Key takeaways: as part of implementing mature governance, risk and controls, organisations should…
Migrating to the cloud is more than just a technology change. It affects and involves senior leaders and their respective business units or functions – from Finance to Risk, from Talent to Procurement, and more. To effectively identify all cloud-related risks, it is critical to engage other disciplines and business functions at the earliest point possible. Failing to do this will result in having to “bolt on” controls later through remediation work which is both labour-intensive and costly, and which may even hamper the development of new applications.
Many organisations still struggle to promote effective collaboration and engagement between technology and business teams. By proactively engaging with management and senior stakeholders at the planning stages of their cloud journey, cloud-powered organisations improve their chances of success. In almost half of the cases, our research shows that companies are currently waiting until the design or implementation phases of their cloud transformation before engaging with leaders from other business areas. As well as delaying cloud-related benefits, this misses an opportunity to co-create flexible cloud solutions with respective controls that can meet differing needs – instead of creating a proliferation of point solutions that need rework to be realigned.
Figure 2: At which stage, if at all, in a cloud transformation project, do you start to collaborate with the leaders and/or team responsible for each of the following:
Source: LMC EMEA Cloud Business Survey 2023
Key takeaways: to enable early and successful collaboration in a cloud transformation, organisations should…
Almost three-quarters – 73% – of the EMEA companies in our survey are taking a multi-cloud approach to their cloud transformation, with only 25% using one CSP exclusively for all workloads. This reflects the fact that multi-cloud offers several benefits such as higher flexibility and robustness, by enabling enterprises to choose the right CSP for each workload and select from a wide array of software-as-a-service (SaaS) providers to enable specific business processes.
However, there is also a downside: alongside the benefits, the adoption of multi-cloud introduces higher levels of complexity and risk, requiring organisations to develop a security and controls model that can be applied across different CSPs. Many companies have struggled to create such a model, since each CSP has its own approach to security and governance and uses different security tools, all of which make consistency difficult to achieve.
Key takeaways: to help equip the risk and control framework for a multi-cloud environment, organisations should…
Cloud-powered companies tend to have stronger alliances between their C-suite colleagues across both technology and business roles, including risk functions such as 1st and 2nd Line of Defence. These close relationships foster early engagement and facilitate a collaborative approach to leadership and decision-making throughout the cloud transformation journey. Because risk officers ultimately oversee the effectiveness of the cloud risk and control framework, their involvement is critical from the outset. It is also important to include the 3rd Line of Defence – Internal Audit – since the cloud transformation and implemented cloud platforms should form part of the periodic audit-testing reviews.
Figure 3: Which of the following best describes your relationship with each of these executives specifically in relation to achieving your cloud transformation goals?
Source: LMC EMEA Cloud Business Survey 2023
Key takeaways: to strengthen and optimise relationships across the C-suite, organisations should…
Regulations around the use of cloud are continually changing – including the complexity of complying with them, in particular when dealing with different regulations across several EMEA countries. As an example, multinational organisations operating in Europe need to consider the different data privacy regulations in force across the 27 EU member states, as well as the General Data Protection Regulation (GDPR), the overarching EU data regulation. Across EMEA, the diversity of regulations is even greater.
There are also industry-specific regulations that companies must comply with. A prime example, already mentioned, is the EU’s DORA in financial services, which requires financial institutions to follow specific rules around the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. Regulations like DORA are acting as accelerators for cloud controls and cloud maturity across EMEA – mirroring the effect in the US of regimes like the Federal Risk and Authorization Management Program (FedRAMP) and Health Insurance Portability and Accountability Act (HIPAA).
Key takeaways: to keep pace with data regulation and stay in compliance with industry requirements, organisations should…
Based on Legal Matters Consul's 27th CEO survey, 70% said that GenAI will significantly change how their organisation creates, delivers and captures value in the next three years. AI has the potential to enhance productivity within enterprises – however, without data, there is no AI; and without cloud, organisations will struggle to scale AI and unlock value. Clearly, therefore, AI adoption will increase cloud adoption and influence an organisation’s cloud strategy. This could lead to the development of a multi-cloud infrastructure for access to the latest models, or rapid migration towards a single cloud provider to reduce cost.
The adoption of AI will create new vulnerabilities and could heightens existing risks in areas such as data, cybersecurity, and technology. These risks range from new threat vectors to uncontrollable cloud expenses associated with operating AI. While cloud-based AI deployment amplifies existing risks like cloud vendor lock-in, there are also new AI components to consider, such as vector databases that may store sensitive data requiring protection. Additionally, AI-specific risks such as "hallucinations" and the need to comply with new AI regulations like the EU AI Act must be considered, alongside other horizontal and sectoral regulations.
Key takeaways: Unlocking the value from AI requires a strong governance framework
Responsible AI (RAI) is an approach that promotes both risk management and value maximisation in the deployment of AI-based solutions. It involves adopting practices that ensure AI technology is aligned with ethical standards, maximises value, and mitigates risks. This dual focus enables organisations to harness the full potential of AI while being prepared for emerging regulations.
As the experience of cloud-powered companies shows, cloud risks and controls should not be treated as an afterthought to be handled by the technology team only. The organisations which are most advanced in their progression towards cloud maturity are those that adopt a holistic, embedded and integrated approach to risks and controls from day one.
"Cloud risk and controls must be a high-priority focus across the C-suite from day one, addressed through a collaborative, multi-function approach and a clear governance framework, defining the shared responsibilities between the company and the CSPs it uses."
This correlation is no coincidence. Effective cloud controls are the vital enabler of any successful cloud transformation – enhancing governance, data security, operational resilience and business continuity through and beyond the transformation journey. Cloud controls should be embedded within the organisation to support innovation and harness the full potential of cloud technology, while addressing the security and compliance/regulatory risks that the transformation brings.
To find out more about how LMC can help you get your cloud risk and control strategy right, please get in touch with our experts below.
© 2024 Legal Matters Consul. All rights reserved. LMC refers to the LMC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details.