1 Introduction

Third-party cloud applications have emerged in recent years as central and critical to the delivery of financial services. While cost reduction and scaling up on efficiencies (i.e., ‘make or buy decision’) are major reasons for this shift, financial institutions have become increasingly exposed to a spectrum of cloud transaction risks (e.g., legal risks, technology risks and firm risks). This highlights the importance of devising an efficient control framework. An efficient internal governance structure is one which innately matches or mirrors the risks of the transaction to a cost-economizing effect.Footnote 1 However, firms are not all equally effective in designing appropriate governance mechanisms that can create an effective risk management and oversight framework. For cloud arrangements, some of these challenges originate from the emergence of cross-border risks associated with differences in legal regimes governing data privacy and security. More specifically, the fragmented nature of data privacy regulation and the absence of well-defined policies can, at times, complicate compliance and risk management for financial institutions which operate in multiple jurisdictions. Therefore, it is necessary for these institutions to have a sound understanding of local and foreign laws and identify whether foreign laws of third-party service providers can present additional risks.

In light of this, the main focus of this article is to examine internal governance approaches applied by a bank in a material cloud services agreement. A unique set of risk and governance data from a bank’s cloud risk register is applied to a structural modelling equation (SEM) and simple linear regression to test for transaction misalignment and causes of governance inefficiencies. The objective of this study is to contribute to the development of policies on cloud regulation and sound internal governance practices. This paper reconciles and extends two strands of literature, namely transaction cost theory and finance, to illustrate that causes of misalignments can also be found by looking further into components of internal control.

Through the means of a cloud outsourcing case study,Footnote 2 the study sets out to answer three main questions: (1) What is the degree of transaction misalignment in the cloud outsourcing transaction?; (2) To what extent is a bank’s internal control framework useful in predicting the likelihood of residual risk?; (3) Are there potential issues/flaws in the internal control framework which contribute to transaction misalignment? Overall, the results provide conclusive evidence supporting a strong degree of misalignment (.47), largely due to the poor design of internal controls. The empirical approach is validated by good model fit indices, which confirms that including indicators of residual risk provides an improved measure of transaction risksFootnote 3 and governance efficiencies. The model results confirm that most misalignment is caused largely by high degrees of legal and technological uncertainties on data privacy regulation and technology processes. Consequently, this translated into poor design of internal controls and a weak control system with unacceptable (R250) indications of residual risk likelihood.

Table 1 Case overview

The paper contributes to cloud outsourcing literature in a number of ways. First, our findings shed light on the degree of misalignment between specific risk types and related control features. In this regard, we believe that our findings make an important contribution to the literature on the role of monitoring and governance in shaping cloud outsourcing policies. Secondly, our evidence on the content of these risk categories contributes to recent cloud outsourcing literature which has tended to apply more indirect measures to capture cloud risks. Finally, this study also contributes to the body of literature examining the development of residual risk models, by using a linear regression model to analyze data from a financial institution.

The article is divided into six main sections. Section 1 discusses the institutional background to the case and the regulation which governs the transaction. Section 2 discusses the literature review and hypothesis development. Section 3 discusses the SEM model construction and data in the study. Section 4 provides a practical and theoretical discussion on inherent risk exposures in the cloud transaction. Section 5 then presents the results on the SEM model which confirms the tests for misalignment. Section 6 presents the results of the linear regression model which confirms existing irregularities in the Bank’s internal control framework which relate to the misalignment.

2 Institutional Profile

A topic of much interest concerns the connection between risk and governance data on existing cloud outsourcing transactions. This case study focuses on a five-year SaaS cloud outsourcing arrangement between a bank and a leading cloud service provider (CSP) in order to draw inferences about how banks manage the different sources of risk that affect data management and other activities. Table 1 below outlines the institutional profile of the financial institution and CSP.

The Bank in this study adheres to European regulatory standards on cloud outsourcing. The upcoming section discusses the development of cloud regulation in the European Union (EU) and UK, which are major ICT jurisdictions and locations for cloud computing. The section explains how the fragmented nature of data privacy regulation and the absence of well-defined policies contribute to cross-border risks, which complicates compliance and risk management for financial institutions.

2.1 Cloud Outsourcing in the European Union and the United Kingdom

The use of cloud technologies can result in a spectrum of diverse risks which threaten data security. For instance, the prevalence of ICT security risks which stem from inadequate or failed internal processes or external events can ultimately impact a firm’s systems and data security.Footnote 4 In fact, many jurisdictions have introduced a legal and regulatory framework for governing cloud use in order to prevent unlawful data processing and data access,Footnote 5 security risks, technological risks and concentration risks. The EU in particular has had a major influence on the global regulatory landscapeFootnote 6 and the regulation of cloud arrangements. This has led to a number of jurisdictions (e.g., the UK, Germany, France, Italy, Ireland) adopting privacy and internet laws based on the legal notions and patterns of European legislation.Footnote 7 The regulation governing cloud computing is largely unharmonized, fragmented and governed by a set of different regulations and policies.Footnote 8 Notwithstanding this, some of the most influential guidelines issued by the European Banking Authority (EBA) are the Final Guidelines on Outsourcing Arrangements (EBA/GL/2019/02),Footnote 9 the ICT Guidelines and Internal Governance Guidelines (EBA/GL/2019/04, EBA/GL/2017/11).Footnote 10 Indeed, the UK has implemented most of these guidelinesFootnote 11 to establish how institutions should manage third-party and ICT risks. More specifically, the development of their regulatory initiatives has also been influenced by events such as Brexit, and by the need to further specify and define the risk requirements set by the EBA.

In particular, a key focus of the Prudential Regulatory Authority (PRA) is to assess third-party risks according to their level of dependencies and to establish whether such arrangements are material.Footnote 12 As a result, some of the main post-Brexit amendments include the introduction of additional criteria to evaluate whether outsourced functions or activities automaticallyFootnote 13 qualify as a material function.Footnote 14 The significance of these amendments is that they strengthen and streamline the risk assessment process by reducing uncertainties on whether a risk is material, and in doing so, establish whether enhanced governance measures should be applied. There are a few other amendments that have been introduced in areas such as the scope of outsourcing, data security, sub-outsourcing, business continuity and exit plans.Footnote 15 However, the requirements do not appear to diverge significantly from the EBA Guidelines on Outsourcing Arrangements but only provide greater regulatory certainty in key, complex areas.Footnote 16

In practice, the impact of the EU General Data Protection Regulation (GDPR) has been significant for cloud service providers and financial institutions outsourcing cloud services. Over the last few years, the GDPR has expanded its scope to limit significant privacy threats associated with cloud computing and transboundary data transfers by enforcing compliance requirements on EU-established organizations and on non-EU controllers and processors.Footnote 17 The global response to rising privacy concerns has led to the implementation of inward-looking policies such as data localization mandates and international privacy acts which either allow or restrict data access by foreign authorities. In the UK, regulators have opted for the latter by enacting the US Cloud Act (2019)Footnote 18 into their Data Protection Act (2018).Footnote 19 The outcome of the Act is that it removes any conflicts of laws (UK/US Cloud Act, Art. 3) which may obstruct enforcement actions or prevent CSPs and internet service providers from responding directly and freely to requests for data stored in the US or abroad.Footnote 20

Alternatively, some regulators, such as those in Germany (and France), have instead opted for stricter data regulation practices such as data localization mandates, for example, the Bundescloud, a German federal cloud initiative. In particular, this mandate only allows data storage and processing of federal data in private clouds and within federal-owned data centers by approved cloud providers in Germany.Footnote 21 However, in light of this initiative and the current EU regulatory focus (e.g., Gaia-X project),Footnote 22 it is likely that similar proposals will soon follow in the private sector. However, the implementation of strict data localization mandates can generate weak points in security systems due to data concentration. In contrast, encouraging institutions to take advantage of storing data in multiple locations, while managing ‘legal risks stemming from conflicting or less developed relevant legal or regulatory requirements’Footnote 23 can result in significant risk exposures. This is largely because the high degree of variance on data transfers creates regulatory arbitrage,Footnote 24 adds to regulatory complexity and creates less clarity on rulesFootnote 25 required to manage cloud risks. Jansen and GranceFootnote 26 also note that the key challenge with transborder data flows is that firms may be uncertain as to

whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits.

Ultimately, this implies that UK and EU institutions which are subject to international privacy acts or less stringent data localization mandates can face greater privacy and security risk exposures. As a consequence, not only may this increase transaction costs but it may also be burdensome and difficult for institutions to leverage global risk management and compliance programs.Footnote 27 Therefore, it is imperative for institutions to have a good understanding of local and foreign laws, especially when operating in multiple jurisdictions. Against this backdrop, this may be a daunting task, due to the absence of cohesive, consistent, harmonized regulatory frameworks,Footnote 28 which is caused by divergent jurisdictional tendencies and the use of omnibus laws.Footnote 29 The next section, discusses how these challenges and the absence of well-defined policies complicate compliance for financial institutions.

2.2 Cross-border Risks: Uncertainties in Cloud Risk Management

In light of the discussion above, the absence of a consistent regulatory framework can hinder sound institutional compliance. This is largely because there is currently no common set of comprehensive and well-defined cloud risk methodologies. Nevertheless, EU and UK regulators have made some efforts to clarify expectations about risk management. For instance, in 2019, the PRA introduced a policy proposal which recommends the use of metrics (e.g., extent of business disruption, and/or the volume or value of impact) to evaluate the tolerance impact of certain business disruptions arising from failed systems or process failures.Footnote 30 In contrast, although EU regulators have yet to issue a comprehensive risk methodology to measure cloud risks, a complex privacy risk methodology was introduced by the European Union Agency for Cybersecurity (ENISA)Footnote 31 and some EU data protection regulators (Greece and Germany) in 2013. While there is no indication of whether this risk methodology is applied by financial institutions, data protection authorities have already identified noticeable differences amongst the privacy risk assessment of supervisors, CSPs and controllers.Footnote 32 Arguably, these inconsistencies could be driven by uncertainties in compliance or lack of harmonization of existing practices. In fact, both factors contributed to uncertainties for the institution in this study, which ultimately led to challenges in devising a suitable risk framework. Table 2 below outlines the risk parameters used to evaluate the transaction.

Table 2 Cloud risk parameters and governance strategy

A pivotal question is whether the existing regulatory guidelines provide sufficient criteria or guidance required to manage cloud risks. These concerns have been highlighted by industry experts during the EBA consultations on the implementation of the ICT security risk guidelines and the use of contracts and service level agreements to ensure that institutions apply appropriate cyber and security measures.Footnote 33 In response to these requirements, participants requested further guidance on key risk and performance indicators (KPIs) to ensure some degree of consistency among financial institutions, particularly in light of conflicting laws which impose diverse requirements.Footnote 34 These issues have been noted by UK authorities, in particular, which addressed some of these concerns by introducing common criteria to improve the consistency of firms’ materiality assessments, and tolerance impacts.Footnote 35 Inevitably, these concerns highlight the need for greater specification on the policies intended to address ICT and other cloud risks.

As will be discussed below, a number of transaction uncertainties in the cloud arrangement are caused by a failure to understand the inherent nature of transaction risks and the regulatory requirements associated. Most of these risks relate largely to poor design of data governance strategies and data privacy measures. Consequently, these design strategies and measures often contribute to greater transaction risk exposures and a larger degree of misalignment. Thus, regulators may be encouraged to consider introducing soft law mechanisms and usefully combine them with comprehensive, flexible privacy and technology-enhancing policies and practices.Footnote 36 The next section will explore the conceptual framework and conditions required to address these challenges.

3 Theoretical Perspectives on Cloud Risks and Governance

As concluded above, an important challenge for financial institutions is devising suitable governance strategies in the face of divergent legal systems. Therefore, the focus of this section is to lay the theoretical framework required to empirically test for the degree and causes of governance inefficiencies in the cloud transaction. This section first discusses some important theoretical assumptions of the transaction cost theory and concludes with the main research hypotheses to be tested.

Transaction cost economics (TCE) is widely used by authors in studies on IT outsourcing. The relevance of the theory lies in its ability to theoretically recognize sources of transaction hazards, anticipate internal organizational changes and empirically test for governance efficiencies in the risk mitigation process. To develop our research hypothesis, the study applies the concept of ‘transaction misalignment’, which is one of the most basic propositions of transaction cost theory. The hypothesis claims that transactions (which differ in their attributes) are aligned with related governance structures (which differ in their cost and competence) so as to result in a transaction cost-economizing effect.Footnote 37 Hence, organizations that choose the wrong governance structure will incur higher transaction costs for a given level of output than organizations that choose more efficient governance structures.Footnote 38

In the most basic context, transaction misalignment is considered as a simple ‘matching principle’, whereby transaction risks are matched to firm controls to assess the extent to which transaction risks are mitigated. The assumption is that more efficient governance structures are those in which there is a close alignment between transaction risks and controls. The degree of alignment is assessed through regression analysis, which is applied to empirically test the association between the ‘attributes’ of a transaction which serve as a measure of transaction risk and the use of internal controls which model the governance structure.Footnote 39 Notably, a dominant cause of transaction misalignment is inadequacies with internal controls. According to Anderson and Dekker,Footnote 40 misalignments are often a consequence of inappropriate use of controls or a failure to design adequate contracts in response to transaction characteristics. In this study, we propose that inappropriate governance responses are likely to be caused by uncertainties about regulations governing cloud use.

Generally, the process of measuring misalignment is not straightforward, as it is often difficult to estimate transaction risks due to the lack of consensus on the factors which define the risks of a transaction.Footnote 41 Notwithstanding this, the three main dimensions or ‘attributes’ commonly applied to measure transaction risks are: (1) asset specificity, (2) transaction uncertainty, and (3) transaction frequency.Footnote 42 According to transaction cost theory, these dimensions are critical in explaining the nature of risks which firms face; however, within the field of cloud outsourcing, only a few studies have applied the framework to measure cloud transaction risks.

According to these studies, asset specificity is defined as the degree of investment in the asset required to make it work, or the costs of reallocating it for another use such as investment in cloud applications, IT training, meta services costs, new vendor transition costs, and cloud customization risks.Footnote 43 Transaction uncertainty relates to primary and behavioral uncertainties which arise from legal risk, technological risk and vendor opportunism.Footnote 44 In contrast, the dimension transaction frequency or ‘cloud transaction frequency’ refers to the frequency of the adoption of cloud services and how often a service is called.Footnote 45

The transaction attributes defined by the TCE framework are also important in determining appropriate risk responses and the governance structures firms adopt. For outsourcing, the management control structure of outsourcing arrangements is based on a hybrid form of governance.Footnote 46 However, WilliamsonFootnote 47 states that the main features which characterize any given governance structure are administrative controls, incentive intensity and contract law. For cloud outsourcing, the governance structure is likely to be defined by administrative controls designed to protect data, contract law defined by cloud contracts, and data protection law which regulates data use.

Therefore, from a general perspective, this implies that the efficiency of a governance structure relates to the way in which protection is established to design and organize appropriate governance structures.Footnote 48 Therefore, misalignment can be estimated if the risks of a particular transaction are invariant to the cost of control.Footnote 49 With this perspective, the study embarks on a more direct strategy for measuring misalignment by regressing all unique inherent transaction risks in a single cloud transaction with related governance (e.g., contractual and institutional) controls. As there is very little theory motivating cloud computing, the study builds on the work of WilliamsonFootnote 50 by keeping in line with the basic propositions of transaction cost theory.

Hypothesis 1

The first hypothesis suggests that greater misalignments between inherent cloud risks and internal controls are synonymous with greater inefficiencies in cloud governance.

Alongside the empirical approach, the study also arranges all inherent risks according to the TCE transaction risk framework to provide a descriptive analysis of the consequences associated with the misalignment. This approach supplements and enriches the empirical results of the study, while highlighting key governance issues in the transaction. This approach differs to other studies which predominantly apply survey techniques to categorize risk and governance data before applying regression analysis to measure misalignment.Footnote 51 Therefore, the results of this test will confirm that misalignments in cloud transactions can be meaningfully tested using a unique set of risk and governance data. Figure 1 below conceptualizes how all cloud transaction risk dataFootnote 52 and related governance controls are applied to test for misalignment.

Fig. 1
figure 1

Testing for transaction misalignment

3.1 Internal Control and Transaction Misalignment Hypothesis

Having concluded on the approach to measure governance inefficiencies, this section outlines the method which will be applied to evaluate whether complexities in regulation contribute to poor internal control design. This question is answered by paying particular attention to the design of the Bank’s internal control framework. From a theoretical perspective, this step is also important as the TCE proposition is limited in establishing causes of misalignments and in determining whether the causes of misalignment are not mistakes or chance incidents.Footnote 53

As internal control is explicitly tied to risk treatments, the study relies on some basic fundamentals of finance and internal control to infer whether any causes of misalignment relate to internal control issues. More specifically, the study examines the strength of the control framework in predicting residual risks and associations amongst risk and internal control components. The first investigation is imperative in assessing the reliability of cloud risk assessments in the identification of residual risk. The latter is focused on identifying whether irregularities exist in the control environment and the source of the irregularities (Fig. 2).

Fig. 2
figure 2

Cloud risk assessment heat map (All risks are color coded to demonstrate the degrees of severity for each risk category. Dark grey (red) depicts medium/high risk levels which lead to major financial impacts and reputational losses. Grey (yellow) depicts medium/low risk levels, and light grey (green) depicts low risk with lower levels of financial and reputational impacts) (color figure online)

To begin with, there is very little evidence on how effective risk management approaches are applied in IT projectsFootnote 54 and/or how they relate to misalignment. However, the control environmentFootnote 55 is useful in assessing the effectiveness of an internal control system.Footnote 56 For instance, KounturFootnote 57 developed a residual risk model using risk and control variables, and concluded that control systems with R252 provide unacceptable indications of residual risk, thus threatening risk planning. From a risk management perspective, estimating the occurrence of residual risk is critical, as it sets the stage for risk measurement, reduction, and risk tolerance.Footnote 58 Therefore, assessing whether the Bank’s system can accurately estimate the risks which remain after internal control measures are applied helps to establish the strength of its control system and its true degree of institutional risk exposures.

Hypothesis 2

In line with these arguments, the study hypothesizes that control systems which have greater predictive strength (R2) more accurately estimate the occurrence of residual risks and such control systems lead to more efficient governance outcomes. Hence, control systems with weak predictions (R2) of residual risks are synonymous with weaker internal control systems.

The second part of the analysis is focused on examining correlations derived from the multiple regression model which provides a prediction for residual risk. The results derived from this analysis will be used to establish whether there are any internal control design issues in the institution’s internal control framework. As studies have established that several interrelations exist in the control environment,Footnote 59 we propose that such interrelations can be used to assess the strength of any internal control framework. For instance, KounturFootnote 60 found that the quality and appropriateness of risk treatments reduce the likelihood of residual risks, whereas Anderson et al.Footnote 61 found that negative correlations between control use and residual risks are consistent with controls reducing residual risk. On the other hand, Messier and Austen,Footnote 62 found that positive correlations between inherent risk and control risk reflect a weak control system, which increases transaction risk exposures.

Additionally, there are other factors in the control environment which directly influence internal control, such as management conduct and risk management expertise. For instance, Rae et al.Footnote 63 found that although a direct association exists between risk assessment and control activities, both risk and controls are subsequently associated with monitoring. According to Bruwer et al.,Footnote 64 empirical relationships exist between two of the elements of a sound internal control system, namely internal control activities and managerial conduct (e.g., industry-specific knowledge, etc.).

To date, only one known study has examined the relationship between governance misalignment and managerial capabilities. HandleyFootnote 65 confirmed that the inferior process performance (e.g., technical expertise, and outsourcing knowledge) of internal control corresponds directly with transaction costs’ discriminating alignment hypothesis via the relationship with governance misalignment. Altogether, these findings suggest that elements of the Bank’s control framework such as outsourcing knowledge, risk responses, and the appropriateness or quality of control are positively correlated but negatively associated with inherent risk and residual risk.

Hypothesis 3

In light of these arguments, the study hypothesizes that positive interrelations between elements of internal control (e.g., control design and control performance) reflect more efficient governance structures and are likely to reduce governance misalignments. On the other hand, negative correlations among elements of internal control are expected to reflect weaker governance structures and contribute directly to greater misalignments.

While the study does not test directly for the influence of managerial capabilities on internal control, it does reflect on major risk sources and control irregularities to formulate whether such factors contributed to any misalignment in the transaction. This is based on the expectation that examining cloud transactions from this perspective helps to extend core elements of theories on transaction cost, finance and internal control, which adds to results on potential internal governance issues. The next section discusses the data and empirical models employed in this study.

4 The Data

The risk registry provides data on 42 risk exposures and governance controls in the cloud arrangement. All cloud risk assessments are prepared in accordance with EU cloud regulation (see footnote 66) and represent original observations as maintained in the cloud risk registry. All risks and control indicators are assessed using a 7-point Likert scale to represent risk severity and control strength. In the SEM model, the variable ‘cloud transaction risks’ serves as the independent variable and is measured by six indicator (endogenous) latent variables (x1 to x6).Footnote 66 These variables are: inherent impact, inherent risk likelihood, residual impact, residual risk likelihood, financial impact and non-financial impact. The variable ‘governance strategies’ is the dependent variable, defined by two indicator (exogenous) latent variables (y1 to y2),Footnote 67 namely control performance and control design. On the linear regression model, inherent risk likelihood, control design and control effectiveness serve as the independent variables (x), while residual likelihood serves as the dependent variable (y).

4.1 The Models

4.1.1 The SEM Model and Linear Regression Model

The studies which test for transaction misalignment usually apply a variety of regression models such as Two Stage Least Squares, Probit Model, and/or Factor Analysis with Structural Equation Modelling.Footnote 68 Generally, the choice of empirical method varies as researchers also analyze the effect of external factors (e.g., influence of alliance governance, prior ties, performance risk, etc.) on transaction risk and how they relate to governance outcomes. In such cases, a series of tests is required to establish the validity of the hypothesized constructs. However, this study adopts a less complex approach to testing for misalignment, given the access to already existing data, the simplicity of hypothesized constructs, and the direct approach to testing for misalignment. Applying the SEM model to our existing data set allows us to analyze structural relationships in the risk and governance data, estimate latent (unobserved) variables in the data, determine measurement errors and model fitFootnote 69 and derive the residual from the regression, which provides the test for misalignment. As it relates to the linear regression model, the advantages of applying this model is that it supplements the results of the SEM by identifying irregularities in the control framework. These results are important as they will be used to establish reasons for the misalignment on the SEM model, which will serve as valuable evidence contributing to the further development of residual risk models.Footnote 70 The next section discusses the SEM construction.

4.1.2 SEM Construction

A common challenge with measuring misalignment is the issue of measurement errors. Although the study applies original risk and governance data from the cloud risk registry, no variable, whether directly or indirectly measured, provides an accurate estimate. This is especially the case for the data set in this study, as risk and governance assessments are largely subjective and prone to error in estimation. Additionally, while the SEM model provides the true score (t) on measured data, Anderson et al.Footnote 71 confirm that the TCE regression model contains misspecification errors which can impede the results on misalignment. Notwithstanding this, they find that direct measures of residual risk correct for misspecification errors and confirm the presence of control misalignments.Footnote 72 As a result, to construct our SEM model, both inherent risk and residual risk variables are incorporated as indicators of the latent construct ‘cloud transaction risk’.

As transaction characteristics relate (weakly) to residual risk and (primarily) to control designFootnote 73 we assume that residual risk measures can contribute to more accurate measures of inherent risk and control effectiveness. This is largely because it allows the model to structurally analyze the probability of cloud risks ex ante and ex post so as to enhance the detection of measurement errors. To validate the approach adopted, two alternative modelsFootnote 74 were constructed to determine the best model fit relating to our data. However, both models yielded less promising results (see Sect. 6.1). The next section of this article provides an overview and analysis of all transaction risk data obtained from the cloud risk registry.

5 An Overview of Cloud Transaction Risk Exposure

As mentioned above, institutions are exposed to significant privacy, technology and security-related risks when cloud services are outsourced. The main objectives of this section are to first outline all inherent cloud risk exposures according to the TCE framework, secondly, to establish how such risks translate into internal control challenges, and lastly, to examine risk by source and severity. In summary, the findings derived from these analyses confirm that some of the most important cloud risks are driven not only by agency cost, but also by firm-specific (or internal) risks, which contributes to a number of transaction uncertainties and potential governance challenges. Table 3 reports the frequency of all cloud risks (N = 42).

Table 3 TCE cloud risk assessment framework

5.1 Theoretical Analysis on Cloud Risks

As illustrated above, the Bank was exposed to 42 unique cloud transaction risks, which were all categorized and analyzed according to the TCE risk framework. An analysis of this nature provides valuable insights and confirmatory evidence on the content of the risk categories identified in this study and related governance challenges. These results will be particularly useful due to the limited number of studies which have applied this framework to measure cloud risks.Footnote 75 According to the data, legal and technological uncertainties account for the highest source of inherent risk exposures (74%), followed by asset specificity (19%), and task frequency (7%). These findings are similar to those of MakhloufFootnote 76 who concluded that the cloud has considerable levels of uncertainty and asset specificity, with lower levels of task frequency for SaaS models. Notably, most transaction uncertainties relate to legal and technology uncertainties. Like Trenz et al.,Footnote 77 the study finds that privacy, security and IT availability concerns are the major sources of these uncertainties. Similarly, these transaction uncertainties correlate well with the behavioral and primary uncertainties dimension as described by Yigitbasioglu.Footnote 78 For example, for our case in particular, primary ‘legal’ uncertainties such as regulatory and compliance risks arise due to uncertainties with data privacy legislation caused by poor data governance, immature internal privacy policies on data privacy, and poor contracting knowledge.Footnote 79

According to the data, primary ‘technological’ uncertainties concern risks associated with IT system exposures such as IT availability risk, risk of ISP disruptions, IT prioritization risks, external cyber breaches, and capabilities of the CSP. The data also confirms that behavioral uncertainties relate to opportunism and the lack of trust in the arrangement. More specifically, in this case study, these risks relate to potential security breaches by the cloud provider, data theft and opportunistic increases in contract prices. However, the Bank categorized these risks as low due to prior outsourcing relationships with the vendor. These results are expected as studies suggest that trust and prior ties are known to have positive influences on contractual outcomes and some agency costs.Footnote 80

In line with the assumptions of TCE, transactions with high levels of uncertainties result in a number of governance challenges. According to Makhlouf,Footnote 81 higher levels of uncertainties result in implied costs relating to contract management, monitoring and legal compliance. This will likely be the case for the Bank given the high level of uncertainties which will ultimately translate into a number of organizational challenges, such as the inability to anticipate or predict future outcomes in the arrangement.Footnote 82 In such cases, the costs of reducing this uncertainty can exceed the costs of internal governance.Footnote 83 Consequently, this can increase initial and ongoing transaction costs such as due diligence search costs and the cost of anticipating and monitoring ex-post and unspecified transaction hazards and contingencies.

Against this backdrop, the degree of asset specificity (19%) is expected to contribute to institutional challenges, particularly as the bank has identified human resource risk, customization risk and cost overrun risk as high-risk sources. This can be problematic as familiarity and specialized knowledge are essential requirements to realize any transaction savings associated with specific investments.Footnote 84 In addition, as studies confirm that managerial conduct is associated with better governance outcomes, lack of knowledge on outsourcing processes can be a hindrance in devising a suitable control strategy. In addition to these factors, the risk of vendor lock-inFootnote 85 will likely influence the ability of the firm to transition to another cloud provider due to the dependencies created in the arrangement. For the Bank in particular, this is a major concern as both traditional and cloud services are outsourced to the same provider. With regard to the task frequency dimension (7%), a lower frequency is recorded largely because of the deployment type (SaaS). Notwithstanding this, more coordination effort, internal adjustments and structured governance forms may be required given the hybrid governance structure. This is expected as cooperative adaption mechanisms are often required in frequent and uncertain transactions.Footnote 86

Having established how the aforementioned risk categories can contribute to governance challenges for the Bank, this section examines risks by severity and source so as to establish whether internally (firm risk) or externally driven factors contributed to the greatest source of institutional exposures discussed above.

According to the data, 62% of all inherent risks are of medium/high level, 33% are of medium/low level and 5% are of a low risk level. This implies that more than half of cloud risks can result in severe financial and non-financial impacts. The data shows that firm risk is an important source of inherent risk exposure as 45% of all risks are caused by internal risk factors such as lack of knowledge of suitable IT processes and regulatory uncertainties.Footnote 87 Interestingly, the data also shows that the highest source of residual risks are legal uncertainties (e.g., reputational risk, data governance risk) which arise due to internal risk sources.

Ultimately, these results confirm that legal risks stemming from complexities in data privacy regulation are the most critical risk category facing the institution, and are likely to be a major impediment to effective governance. These results are not surprising given the complexities of data privacy regulation and the absence of a comprehensive set of cloud risk methodologies. To explore this further, Fig. 2 above depicts the inherent risk exposures by financial impact, severity and risk mitigation strategy.

The next section investigates these issues further by first measuring the degree of inefficiencies in the transaction and then providing empirical evidence to demonstrate how efficiently the bank was able to mitigate all inherent risks.

6 The SEM Results: Measuring Transaction Misalignment

The results so far indicate that firm-specific risk contributed to a significant degree of inherent risk exposures in the cloud transaction. In light of the previous discussion, we now provide the SEM results which evaluate how effectively the institution mitigated those inherent risk exposures. The first part of this section provides a graphical depiction (Fig. 3) of the SEM model to illustrate the relationship between risk and governance. The second part analyzes the results of the measurement model which confirm model strength and validity.

Fig. 3
figure 3

(As illustrated, the graphical model contains eight latent variables and two latent constructs. Note, the latent constructs are variables which are not directly observed (denoted by the circle). Cloud transaction risks serve as the exogenous latent variable, and governance strategies serve as the endogenous latent variable. The estimates from both latent constructs are derived from the observed variables (N = 42) which are directly obtained from the Bank’s risk registry. The independent variables which provide a measure of transaction risks are: (1) financial impact, (2) non-financial impact, (3) inherent risk, (4) inherent likelihood, (5) residual impact and (6) residual likelihood. The dependent variables which provide a measure of governance controls are (7) control performance and (8) control design. One variable per latent construct was constrained to 1, so as to provide an interpretable scale to estimate the factor variances and factor loadings. The residual errors are denoted by Ɛ and are provided on the latent variables and constructs (Ɛ1 to Ɛ9).) Mitigation of cloud outsourcing risks

As illustrated in Fig. 3, the Bank was only able to mitigate 47% (e.47) of risks with institutional controls. Overall, the model provides a positive measure for misalignment, as evidenced by a significant p value (0.003) and 95% confidence interval, which illustrates the positive effects of governance strategies on the reduction of cloud risks. These findings provide support for the first hypothesis (H1) in this study which suggests that misalignments between inherent cloud risks and governance controls are synonymous with inefficiencies in cloud governance. Figure 3 provides a graphical depiction of the SEM model applied in this study.

Similar to other studies, we assume that the error term on the regression is associated with inefficiencies in governance which are likely caused by inappropriate or poor design of controls. To further interpret these results, the study applies the approach of Argyres and BigelowFootnote 88 which suggests that a measurement error of.47 represents a relatively strong degree of misalignment. In accordance with transaction cost theory, this therefore means that the Bank will incur higher transaction costs to reflect its ‘suboptimal’ governance structure. However, some degree of inefficiency is expected as no control system can eliminate all risk factors. Therefore, there will always be a risk trade-off, whereby the institution has to decide its risk appetite and the level of risks which is tolerable. Table 4 below provides the output of the structural equation along with the corresponding standard errors, p values and confidence intervals.

Table 4 Structural model (standardized scores)

6.1 The Measurement Model Results

As we have completed our discussion on the degree of inefficiency in the transaction, the objective of this section is to discuss the results of the measurement model. This discussion is particularly important in light of our SEM construction (see Sect. 3.1.2). Additionally, these results are also significant as they help to establish which measure is most closely related to the latent variables and whether there are any correlated or unique relationships amongst the risk and governance indicators as predicted by the model. As illustrated in Table 5, all latent variables have a strong significance in estimating the latent constructs ‘cloud transaction risk’ and ‘governance controls’ according to related p-values (< .05). These results provide confirmatory evidence on our empirical approach as SEM studies suggest that latent variables with strong significance confirm the strength of the factors in providing a measure of the variable to be tested.

Table 5 Measurement model (standardized scores)

In light of the alterations applied to the SEM model, the results also show that residual likelihood is significant (.044) in estimating the latent construct ‘cloud transaction risk’. These results confirm that residual risk contributes to a more accurate measure of risk and governance. To further validate the approach applied, two alternative SEM models (M1, M2)Footnote 89 were constructed. The results derived from these models were also compared to the original residual estimates by the Bank, and the SEM model in this study. Notably, all models provide a close degree of misalignment (M1 =.38; M2 =.40, SEM =.47), but the alternative models provided less significant coefficients and poorer fit indices than the model in this study. Taken together, the results suggest that there may be some weaknesses in the Bank’s estimation of transaction risks or possibly in the evaluation of internal controls.

Table 6 reports the covariance and variance scores which confirm a number of significant correlations between risk and controls. These relationships are important as studies suggest that a latent variable is defined more accurately when indicator variables are strongly related to one another.Footnote 90

Table 6 SEM covariance (standardized) estimates

As illustrated, a significant correlation (0.015) is recorded between ‘e.inherent_likeli’ and ‘e.financial impact’, which indicates that a rise in the likelihood of a cloud failure increases the risk of financial impact. Significant positive associations are also recorded between variables ‘e.residual impact’ and ‘e.residual likelihood’ indicating that changes in the likelihood of residual risk, increases residual impact. However, non-significant correlations are recorded for variables ‘inherent likelihood and inherent impact’ and ‘financial and nonfinancial impact’. A negative correlation between ‘e.inherent impact and e.inherent likelihood’ is common as most cloud risks (47%) have a low probability of occurrence, (e.g., cyber security risks, business continuity risks), but result in high or medium risk impacts. As it relates to the variables ‘e.financial impact’ and ‘e.non-financial impact’, a negative non-significant correlation exists, which is in line with expectations as financial and non-financial impact are driven by different risk factors.

Lastly, the discussion now turns to the variance scores and the model fit indices which add validity to the model. According to the output from the SEM, the model explains 96% of the variance in the endogenous latent construct and reports mostly very good (> .63) factor loadings.Footnote 91 Further, the model fit (Table 7) confirms that the hypothesized model fits well to the data, as indicated by RMSEA < .06, CFI > .95, TLI > .95 and SRMR, < 0.08.Footnote 92 These results suggest that the observed data and the model results are likely to reflect a real situation. The SRMR index indicates that the model has a low possibility of misspecification, bias and discrepanies between the observed correlation and predicted correlations. Other fit indicators such as the 90% confidence intervals (upper bounds > 0.10 and lower bounds < 0.05%) and the Cronbach alpha are also consistent with good model fit and internal realiability. Given the limitations of a single case study, the minimum sample size requirementFootnote 93 suggested by SEM simulation studies served as the main basis for constructing the model. Altogether, these studies and othersFootnote 94 confirm that two factor models, with sample sizes of N = 30 or no less than N = 40Footnote 95 have sufficient statistical power to derive meaningful associations in SEM models. Table 7 above provides an overview of the model fit results.

Table 7 Model fit results

Overall, the SEM provides strong model output and conclusive evidence confirming a strong degree (.47) of misalignment or inefficiencies in cloud governance. These results suggest that some misalignments identified are more likely to relate to inefficiencies in the internal control environment. The next section seeks to establish the validity of these claims.

7 Cloud Governance Strategies

In light of the previous discussions, this section seeks to establish whether the degree of inefficiencies identified was caused by poor internal control design issues, arising from the complex nature of cloud regulation. To answer this question, elements of the Bank’s internal control framework were applied to a simple linear regression model. Through this approach we are able to establish whether the Bank’s control system provides acceptable indications of residual risk, whilst capturing the factors which contribute to weak internal governance. This section begins by presenting the results of the regression model so as to assess the strength of the Bank’s control framework before concluding on the main control inconsistencies identified. Altogether, these analyses show that the requirements for cross-border transfers of personal data and the absence of a comprehensive risk methodology (and KPIs) create less clarity on the rules required to manage cloud risks. Ultimately, these factors translate into poor governance strategies and highlight the need for financial institutions to have a good understanding of local and foreign laws to implement a sound compliance program.

7.1 The Strength of Residual Risk Predictions

According to the data, the model reports a significant regression (p < .0005) indicating that (i) inherent risk likelihood (x), (ii) control design (x) and (iii) control effectiveness (x) are significant predictors of residual likelihood. This confirms that the linear regression model can be used to provide strong indications of whether any misalignment on the SEM is associated with internal control issues. From a theoretical perspective these results can prove to be significant as they validate the model and contribute to the advancement, development and use of residual risk models, particularly in light of limited studies. As the data relates to the model output, it shows that the Bank has a weak control framework. More specifically, as illustrated in Table 8, (i) inherent risk likelihood (x), (ii) control design (x) and (iii) control effectiveness (x) have 50% predictive power in estimating residual likelihood. In other words, this indicates that the model only explains 50% of variance in the likelihood of residual risk impacts. Essentially, this means that the control framework can only anticipate the occurrence of half (R250) of all residual risks modelled in the SEM (47%). Table 8 below shows the model summary and results of the simple linear regression.

Table 8 Strength of internal control

According to KounturFootnote 96 a residual model which predicts an R252 is considered unsatisfactory in estimating the likelihood of residual risk, as it can have implications for risk planning. As a result, a higher R2 would symbolize greater reliability and predictability of internal controls in estimating the likelihood of residual risks. These results confirm our second hypothesis which suggests that models with a lower significance (R2) are synonymous with weaker internal control systems.

Having concluded on the strength of internal control, the next section provides the coefficients on the model which will help to establish whether the Bank suffered from any control design issues arising from poor institutional compliance practices regarding data privacy.

7.2 Interconnections Between Internal Control and Risk Assessments

As mentioned previously, the study pays particular attention to correlations amongst elements of internal control to identify control irregularities and the source of those irregularities. In line with the hypothesis (H3) posed earlier, it is expected that positive interrelations reflect more efficient governance outcomes, which are likely to reduce governance misalignments. These relationships were confirmed in this study (Table 9), as a number of common significant associations are identified between predictors of residual risk. For instance, a negative significant correlation between control performance and residual risk indicates that as control performance increases, the impact of residual risk decreases, which is in line with expectations (Table 10).

Table 9 Coefficientsa
Table 10 Coefficient correlationsa

A significant association between inherent and residual likelihood is also common, as it indicates that any rise in inherent likelihood increases residual likelihood. On the other hand, negative correlations are reported between control performance and control design. These results are uncommon or ‘irregular’ as elements of internal control, such as the quality and appropriateness of control, should contribute to control effectiveness and risk reduction. Therefore, a negative correlation indicates that control design contributes negatively to the performance of internal controls and will likely increase the probability of residual risks.

These results confirm the hypothesis that suggests that some misalignment identified can be explained by inefficiencies in internal control, particularly as it relates to the design of controls. Additionally, the R250 on the model indicates the existence of a weak control system, incapable of predicting at least half of the misalignment identified on the model. These results are in line with expectations, as most inherent risk exposures were driven by internal risks arising from technological and legal uncertainties (e.g., poor data mapping strategies, IT prioritization risks) which may have translated into poor internal control design. Ultimately, these results confirm that a significant number of risks are driven by cross-border risks arising from divergent data privacy regimes.

Altogether, the results of the above analyses are consistent with the hypothesis that managing data privacy risks may be a key challenge for financial institutions. In this regard, a good starting point for compliance is understanding ‘what, why, how and where’ data is processed, thoroughly evaluating the terms and conditions in cloud contracts and in data transfer agreements, and ensuring compliance by cloud providers.Footnote 97 In addition, there may well be advantages for regulators to consider introducing soft law mechanisms and key performance indicators (KPIs) so that institutions can sufficiently evaluate the appropriateness of internal control measures. Ultimately, applying KPIs and usefully combining them with comprehensive, flexible privacy and technology-enhancing policies and practices may reduce some transaction uncertainties in cloud risk management.

8 Conclusion

The study examined the effectiveness of internal governance on an ongoing cloud outsourcing transaction between a bank and cloud service provider (CSP). We use the empirical analysis in this case study to show that data governance is a key challenge for financial institutions. More specifically, the SEM provided evidence indicative of a strong degree of misalignment in the cloud transaction. The results show that firm-specific risk is a significant risk factor as it contributes to a number of transaction uncertainties and misalignment in the cloud transaction. Our results of the multiple linear regression confirmed that most of the misalignment relates to inadequate design of controls on a number of legal risk exposures (e.g., poor practices regarding data governance strategies and privacy policies on international data transfers). Ultimately, the results tend to show a weak control system, which provides unacceptable indications of residual risk exposures. Overall, it is clear from these findings that there are still considerable uncertainties in devising sound internal governance strategies, largely due to uncertainties in cloud regulation. Through the outcomes of the study, it should become easier to examine more closely how firms assess critical cloud risks and devise sound internal governance strategies to mitigate cloud risk exposures in the financial industry. Most importantly, it is also crucial to steer studies towards research that assesses whether there is a need for more specification on risk criteria and responses, given the regulatory complexity of the cloud landscape. However, in light of the limitations of this single case study, future research could focus on other types of financial institutions that may might benefit from improved cloud risk management practices.