Hi Jeff,
I can see that. I was probably drawing more on my (admittedly small)
experience of helping IRM programs integrate with overall ERM
approaches - which up to now has never really addressed the politics
surrounding cloud computing.
It's been my experience that "where computing lies" is viewed by other
LOBs mainly as someone else's problem (namely, IT's problem). There
may be an impact on outsourcing the information processing concerned
with supply chain or financial operations, but the "availability"
concern for outsourced applications is not the responsibility of the
CFO, for example, it is still the responsibility of the CIO/CSO (and
in most cases where I've worked with an actual CRO, their
responsibility is simply the validation of risk expression around the
CIA triad for IT assets w/regards to IT risk). Of course, aspects of
the cloud (SaaS, certainly) might actually represent moving control
away from the CIO to a rather unqualified LOB executive, and in this
case the outcome of the IRM risk expressions would be more politically
relevant in the context of larger ERM concerns.
Yours,
Alex