As cloud computing gains traction, companies would be wise to study the risks before jumping in with both feet, according to a new thought paper from COSO.

“When you engage a third-party cloud service operator, you ultimately are going to be expanding or changing your risk universe,” says Warren Chan, co-author of the paper and a principal at Crowe Horwath. “Some don't realize that once you bring in a third party to support your data, you bring on other dependencies.” The paper, Enterprise Risk Management for Cloud Computing, explains some of the considerations companies sometimes fail to make.

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission published the new thought paper to apply the guidance contained in its Enterprise Risk Management -- Integrated Framework to the fast-evolving technological innovation of cloud computing. The 23-page paper covers cloud computing basics for non-tech executives to help them understand what the cloud is and what kinds of risks and opportunities it presents. The paper also addresses changes in business operations that might arise with cloud computing, how to approach ERM while operating in the cloud, how executives might consider responding to cloud risks, and other cloud-related considerations that should be addressed by boards and senior management.

According the paper, cloud computing is expected to be a $140 billion industry by 2014. “This is a paradigm change that impacts how technology is used in every business or organization, so that's changing the risk environment,” Chan says.

Companies sometimes fail to consider how the cloud and its shared architecture heightens their risk for cyberattack, outages or other complications, according to Chan. “If you run a standalone data center and you don't have a tremendous risk of noteriety in cyberspace, the likelihood of attack is low,” he says. “But if you outsource to an Amazon or a Google, the probability of a cloud service architecture being hacked is much higher.” As another example, Chan says, companies sometimes fail to think about how they might be affected if a major news event suddenly causes a spike in internet traffic that could affect their own system performance when sharing space in a cloud architecture.

COSO published the paper to help companies think through those and dozens of other issues that may not readily come to mind for non-tech-oriented executives who are still learning about the cloud. Other literature is emerging that is focused more on technology professions, he says, so the COSO paper is meant to help the executives operating the business understand the risks as well, applying COSO's already established ERM framework. “ERM really is about dealing with events as they occur in real time or as they evolve in the operating environment,” says Chan. “Nothing stays forever the same.”