Staying above the cloud on risks and controls


  • Cloud-powered companies have overwhelmingly developed formal controls that are distinct to cloud operations.
  • However, the majority of cloud-powered companies did not engage risk leadership at the earliest stages — planning — for their cloud transformations.
  • Here are five areas of action for companies that are banking on their cloud transformation to help them achieve a higher, more sustained growth trajectory.

While many businesses have embraced cloud technology in all or part of their operations, one key piece of the puzzle — risk and compliance implications — may be missing. Generally, these considerations may have been deprioritized or sidestepped, a byproduct of attempting to move quickly without complete clarity about the ramifications that a cloud transformation has for meeting compliance obligations and helping address risk effectively.

As we learned in our 2023 Cloud Business Survey, it’s clear that organizations embarking on cloud initiatives should consider risk and controls early in the process, building controls into their cloud transformation.

Poor attention to these critical areas can lead to serious consequences, including cybersecurity breaches, business interruption, regulatory violations and fines, and costly budget overruns. Worse, you may not get the business value you had envisioned from your investment. And you’re potentially not able to benefit from automation and reduce overall compliance efforts and costs.

Regardless of your level of cloud maturity, bringing risk into the cloud conversation earlier can help companies migrating to cloud position themselves more solidly for success and help build trust.

Five ways cloud is impacting risk and controls

Our analysis of over 1,000 enterprises revealed five factors that affect cloud risk and controls and how companies can most effectively address each one.

1. Mature governance, risk and controls can generate clear benefits

We found a direct correlation between an organization’s overall cloud maturity level and the maturity of its governance activities. Across the board, cloud-powered companies – those that are realizing significant and sustained value from their cloud operations – assess the maturity of their cloud controls as significantly higher than other companies.

For example, cloud-powered companies have overwhelmingly developed formal controls that are distinct to cloud operations, have developed a common controls framework that they have tailored to new cloud services, and they have documented their shared responsibilities with their cloud service providers (CSPs). Critically, most note that cloud-related controls for governance, risk and compliance activities are owned by a single business function with its own dedicated resources.


These are key considerations when developing a cloud strategy. Companies should also take fuller advantage of shared responsibilities and how the CSP defines them. Qualifying, clarifying and implementing controls can help address those requirements. Risk solutions that CSPs include as part of their offerings are often underutilized.

CSP shared responsibilities should be understood, and companies should translate their own responsibilities into their control strategy and playbooks. Companies should also revisit these often as relationships change.

Successful cloud-powered organizations build these questions into their processes:

  • Do you have a common controls framework? Has it been tailored to address technology in the cloud? If not, what barriers have prevented you from tailoring your controls and whose involvement is needed to resolve those barriers?
  • Have you assigned systems ownership for your cloud-based assets? As part of that ownership, have you provided adequate training in evaluating cloud risks and the relevant controls executed by either the CSP or your own management to support an effective control environment?
  • How are you monitoring for adherence to your common controls framework and onboarding new technologies/assets? Who is responsible? On what cadence is this monitoring performed? How have you updated your feedback loop to incorporate the results of monitoring into your risk assessment and related controls mapping?

2. Executives can do better at collaborating early to incorporate risks

Our survey shows that cloud-powered companies are doing better at incorporating risk and controls into their cloud strategies, but they didn’t necessarily start that process early enough. While they are more proactive than the other companies in our survey, the majority of cloud-powered companies (58%) did not engage risk leadership at the earliest stages — planning — for their cloud transformations.

Playing catch-up clearly isn’t the most efficient way to go about this process. Remediation can be tedious and costly. Given that remediation can take years, it can easily become an unexciting job that no one wants. Remediation can mean engineering teams may have to rework or revisit code and configuration related to existing applications, which could lead to a slowdown in the development of new applications.

Some specific actions you can take:
  1. Perform an assessment to identify relevant risks to the cloud environment, based on the workloads being processed, the nature of the data and compliance obligations.
  2. Based on that risk assessment, map existing controls (both those executed by the company as well as those executed by the cloud service provider) to identify and inventory unmitigated risks/gaps.
  3. Evaluate the impact of the unmitigated risks on the environment and strategic priorities of the company to drive remediation prioritization. Be aware, this needs to involve all business stakeholders.
  4. Based on prioritization, define remediation strategy, including proposed new controls/updates to existing controls, required resources to accomplish plans, and the associated expected timeline for implementing these controls.
  5. Obtain formal buy-in on proposal from important stakeholders.
  6. Develop, document and communicate project plans, assigning owners based on the nature of the activities to be performed.


Even if a risk strategy was flawed to start with, it’s important to avoid repeating past mistakes.

  • Who needs to collaborate and when? It’s critical that risk and security be involved at the beginning to help with planning and design, as well as to be involved throughout.
  • Collaborate on existing issues, consult internally to find the best path forward and decide what to tackle first. Early success is important, because remediation can be costly, and not just in the form of direct expenses.

3. Multicloud infrastructures complicate risk further

The predominant operating model today is multicloud: 65% of all survey respondents said they use multiple cloud service providers to handle their workloads. Multicloud offers features like flexibility and robustness, letting enterprises choose the right CSP for each workload as well as various software as a service (SaaS) providers for business process enablement, but it also introduces higher levels of risk. Many organizations have struggled to develop a security model that can be applied across CSPs, since each CSP has its own approach to security and governance and different security tools, all of which makes consistency difficult or impossible.


Help unify your cloud environment with a common starting point.

  • Make it easy to monitor and secure the complex multicloud security framework through “single pane of glass” solutions that bring multiple tools together. The proliferation of cloud-based applications makes this type of streamlining crucial.
  • A large enterprise may well have several thousand distinct applications running across multiple CSPs. Develop rules around where certain types of workloads should be placed, and automate to the extent possible.

4. Strong relationships between CIOs and risk and security leaders are key

Many executives that say their companies are achieving value from their cloud initiatives report stronger relationships with their chief information security officers (CISOs) and chief risk officers (CROs). Because risk officers will ultimately oversee how well your framework functions, their involvement is critical from the outset.


Leadership related to governance should vary depending on the type of risks.

  • If your organization’s risk issues are primarily regulatory, the CFO and chief compliance officer should be involved.
  • To lay the groundwork for security and privacy throughout the cloud infrastructure and ongoing governance and controls, your CISO and chief data officer should be part of the overall cloud executive leadership and should have a strong hand in the task. Security teams and IT teams must have formal playbooks for working together to secure the cloud.
    • The chief data officer may need to be involved in regulatory/compliance considerations related to standards that enforce data requirements (e.g., General Data Protection Regulation (GDPR)).
    • The company may need to involve their COO/chief product officer and possibly the chief legal officer to help assess impacts on contractual customer commitments of both the CSP and the company.
    • The executive in charge of ESG strategy may need to understand the sustainability impact of cloud computing.
  • The executive and the board should provide strong support for the kind of collaboration needed to address cloud risk issues and prevent them from recurring.

5. Evolving regulations mean staying ahead of industry-specific risk

Regulations around the use of the cloud are in flux — and they vary from one industry to the next. The GDPR, the Federal Risk and Authorization Management Program (FedRAMP) and HIPAA (for Health Insurance Portability and Accountability Act) have all introduced new complexities for organizations looking to store data in the cloud, but the rules aren’t relevant for every type of business. For example, recently, banking and financial businesses were issued new guidelines from the Federal Financial Institutions Examination Council (FFIEC), which outlined reasonable practices for managing architecture, infrastructure and operations, with a specific eye toward the use of cloud services.

Banking organizations that we surveyed agreed that the new rules were having an impact: 90% reported undertaking some type of remediation activity to bring their cloud services into compliance.


Companies should be aware that legislation and regulation around cloud, particularly the ways in which data is stored in the cloud, is likely to be in flux for years to come. Further complicating the environment is that there is no single source for companies to reference.

  1. Monitor the environment and look ahead when thinking about your cloud adoption strategy. Whether focused on ERP data modernization, application modernization or cloud-native development, stay agile and informed, as regulatory pressure increases on cloud compliance framework. It’s critical to know the why behind cloud modernization and what’s next when it comes to proactive risk management.
  2. For heavily regulated industries (like banking and capital markets, energy and utilities as well as insurers and healthcare payers), cloud adoption can often be driven by the need to remain competitive and compliant. Enhanced cybersecurity regulations will escalate those needs.

There are indications of where regulators may be going, however. To see where cloud regulation is headed and how it may apply to your company, check these government publications:

Define where you want to be

Reach your destination with PwC’s Cloud and Digital services

Learn more

Digital Assurance and Transparency

Build trust to power digital progress

Learn more

Cloud-powered > On-the-cloud

Our insights are evolving at the speed of your cloud transformation. Stay connected with exclusive access to PwC's tech content. Navigate challenges and risks more confidently and realize value from your cloud investments, faster.

Stay in the know

Next and previous component will go here

Follow us