PhD Defense J.M. Anderson

This study examined the risk and governance challenges experienced by financial institutions that outsource cloud technologies. Cloud outsourcing prompts a new way of working and fosters an environment in which technology and data are shared across groups and are housed in regional hubs, according to global standards that are influenced by various countries’ policies. Therefore, to effectively manage the cloud, institutions need a thorough understanding of the applicable laws governing the cloud relationship and those that influence the internal control environment. However, differences in policies and the complexity of rules for cloud outsourcing complicate institutional governance practices as they create less clarity on the rules required to process and manage data and related cloud risks. In addition, gaps in cloud contracts and the absence of key metrics for liability provisions create economic governance problems, which make risk management challenging and warrant further investigation into the cloud governance process. The study demonstrates this by building a series of theoretical arguments and using risk and governance data to describe the institutional challenges that follow cloud adoption. In doing so, the study explains that, conceptually, the framework nature of cloud contracts and flexibility of the regulation makes it especially difficult for institutions to efficiently manage risks. This study tackles the problem of internal governance by investigating the main risks faced by financial institutions that outsource cloud services, and by exploring how well they manage transaction risks in these arrangements. 

A real case study on a cloud outsourcing transaction and survey data from financial institution experts were used to study expert perceptions on the severity of various types of cloud risks and the effectiveness of institutional risk management approaches. The results showed that a key obstacle for institutions is their lack of knowledge about outsourcing processes and practices concerning data management. These findings were also confirmed in a comparative institutional study, where similarities were found in the risk and governance concerns of experts working at 13 different institutions in the United States , Europe, and Canada. Through this investigation, it was found that efficient governance can be more difficult for institutions that comply with US regulations owing to considerable differences in state policies on data privacy.

Finally, this study examined how uncertainties in the evaluation of data breaches and network failures become visible in other internal practices, such as cloud risk assessments. A series of cloud risk experiments was created and distributed to 131 cloud risk experts working at financial institutions in the EU and the US to compare whether their risk assessments would differ significantly. The results show that the lack of specification in the regulations and experience of cloud experts can contribute to considerable differences in their risk and disclosure choices. In practice, most experts face significant challenges in assessing the severity of cloud risk events, which have broader implications for enterprise risk management.

The results suggest that internal governance continues to be a challenge for firms as they outsource cloud technologies. The knowledge derived from this Ph.D. is useful, as it shows that institutions can benefit if they prioritize the evaluation of liability provisions in their cloud contracts, especially in cases where cloud risk events are a consequence of third-party risks. The findings also establish that internal governance is necessary to reduce the spillover effects of cloud contracts and that institutions can devise sufficient governance structures by implementing data policies (e.g., data access, storage, and format policies) and mechanisms that promote cooperation and coordination to oversee data management responsibilities. Through these findings, this study establishes various means by which financial institutions and governance experts can limit their risk exposure in cloud agreements.