Risk Leadership: Is the Cloud Worth the Risk?

The cloud is worth the risk if the annual benefit minus the expected cost of risk is greater than the cost to run in-house. A simple statement, however, on closer inspection the complexity of the decision becomes apparent and the engineer in me rises to the surface. Below is the cloud outsourcing decision expressed in mathematical terms. If you follow it through your cloud outsourcing decision should become clearer, even if it is difficult to assign numbers to give you an accurate answer.


In mathematical terms:

If B – E(R) > H then the cloud is where you should be, where;

B = The Benefit that would accrue each year

E(R) = the annual expected cost of Risk

H = Annual cost to run in-House

So the answer comes from breaking down B, E(R) and H so you can assess their expected results and run the above equation. Taking each one in turn:


B can be expressed as:

B = C + O where:

C = Cost savings

O = Opportunity derived

Cost savings should be relatively straightforward to calculate, however, don’t forget to include more difficult items such as efficiency savings if the system you are moving to will save your people time and effort.

The more challenging task will be determining the extent of the opportunity from utilising the cloud. For many companies this will be much more important than the cost savings with opportunities such as speed to market with a new product, solving a customer service problem in double quick time or freeing up key internal resources for another IT project dominating the equation.


E(R) can be expressed as:

E(R) = (L x Pr1) + (Re x Pr2) where:

L = liabilities (such as from a breach of privacy)

Pr1 = annual probability of incurring the liabilities

Re = reinstatement costs (the additional costs/losses from running your operation and the costs to move to another provider or to reinstate the service in-house and the cost to reinstate your reputation that will surely be damaged in such an event)

Pr2 = annual probability of incurring the reinstatement costs.

Here is where things get even more difficult. Depending on the contract you have with the cloud provider, their ability to meet any claim you may have against them and any cover you may have from your own insurance, these liabilities could be relatively small or very large. The reinstatement costs are also very challenging as you need to consider the effectiveness of any Business Continuity Plan you have in place, the higher costs of replacing the system as quickly as possible and of course that king of intangibles, your reputation.

In-House Cost

H can be expressed as:

H = D + ID where:

D = Direct costs such as hardware, software and support staff

ID = Indirect costs such as a portion of IT management and corporate overheads

These costs are generally the easiest to estimate as you have real data and can make educated guesses about apportionment of costs as these are much more visible to you.

Now before you run off and start getting the data and the team around to help you with your estimations, there is one more thing you should consider. Are you going to assume the answer for this current year is going to be the same each and every year or will any of these variables change substantially? If the answer is the latter, then you need to forecast how each value will vary over time and then discount them back to today’s dollars and then run the equation.