In a period when individual departments are just going out and buying software services - with or without IT's blessing - international risk association ISACA thinks it's time the board kept all cloud initiatives on a tighter rein.
The body has just issued new guidance on the risks and governance of the cloud, in the form of five questions that boards should pose management teams.
Boards need to start seeing cloud computing as a business strategy, not just as an IT project, according to ISACA board member Marc Vael.
"Board members need a clear understanding of cloud computing benefits and how to maximise them through effective governance practices," he said in a statement.
Here are ISACA's five key questions:
Question 1. Is there a plan?
The ISACA guidelines suggest boards should start out by asking whether the managers involved in a cloud project have weighed up the value and opportunity costs of the scheme.
"The risk of cloud adoption may be inconsequential when compared with the lost opportunity to transform the enterprise with effective and strategic use of cloud computing," ISACA says.
Strategic advantages that could be missed include reaching new markets, improving products, and developing services that are only possible through the cloud, according to the governance body.
Question 2. Is the cloud plan consistent with company goals?
Cloud projects need to link clearly into the business's overall strategy so that the company can measure their value.
ISACA argues that making cloud plans consistent with enterprise goals is also essential for managing risks effectively and containing costs.
"The potential benefits of cloud services can be enticing, but with the reward comes risk. The enterprise must decide whether the potential risk is within acceptable limits."
Question 3. Are we ready for the cloud?
This point really comes down to checking that the cloud implementation won't conflict with company culture and processes and that the right skills are available inhouse to support it.
ISACA provides a readiness checklist covering areas such as policies and procedures, organisational structures, and skills and competencies.
Question 4. Does the cloud fit with existing plans?
Cloud computing may not fit immediately or cleanly into existing technology plans. It could even duplicate efforts that are in the pipeline, so decisions about how and when to cope with the resulting loss needs to be weighed up carefully by the board.
ISACA recommends directors pay close attention to the impact on existing sourcing and change management, and on internal IT processes, datacentres, apps, infrastructure and staffing.
Question 5. Can you track cloud risks against returns?
Management teams involved in a cloud initiative need to have reporting mechanisms in place before the board clears the way for the project. Those mechanisms need to measure the value and the risks in the context of enterprise goals.
The ISACA guidance, Cloud governance: Questions boards of directors need to ask is available as a free download.