It’s Time to Deal with Operational Risk in Public Cloud Computing

Real, tangible, and valuable services are beginning to emerge from the hype surrounding public cloud computing. Financial institutions can now access new on-demand services, avail themselves of specialised functionality, reduce fixed costs, and increase the variable portion of their operating costs.

Despite the uptake, valid questions and concerns around security and other risks of cloud services have not abated. Thus, both sides of a cloud service—both the vendor and financial institution—need to step back and look at the issues holistically. In doing so, the dialogue will go far to creating a more holistic focus, one that examines the operational risk that exists in public cloud services.

Issues and Answers

There are real concerns regarding the use of cloud computing services. Although these must be dealt with, there is another side of the equation to operational risk, one that has a decidedly positive impact. Both sides are captured in fig 1.

Fig 1

Issues

Objections are often expressed in business terms, which we address below.

Security must take into account technical, policy, and human aspects. Security models must support recognised international standards such as ISO 27001. In business terms the objection here is stated, “The vendor could lose or expose my data.”

Regulation is a global issue and one that will see new developments over the next several years including changes in both regulators and rules. The objection here will be, “The regulator will blame us for anything the vendor does wrong.”

Assurance refers to the continuous availability of the cloud services both from a moment-to-moment delivery perspective and the ability to provide backup and retention management which is an issue that continues throughout the service lifecycle. The key objection here is “I may not always be able to get to my data.”

Performance has to do with meeting speed and latency demands that vary greatly between industry segments. This includes near instantaneous response time in brokerage and trading venues (a basic competitive factor) to much lower latency requirements for billing and statement activity. Once again naysayers have power in stating, “I don’t have control of my data.”

Liability is about legal exposure and lies at the centre of all risks and objections to cloud computing. FSIs and cloud service providers should plan for and address potential liability—who has it, how it will be determined, and who shares in its consequences. Otherwise the winning objection will be “I don’t know if I can trust the vendor.”

Operational risks include risks of omission and risks of commission. Omission includes lack of preparedness and completeness of the control environment. In other words, do the FSI and vendor in a cloud service have proper internal controls and complete and thorough business processes? Risks of commission have to do with deliberate wrongdoing or deliberately ignoring controls. Do the FSI and vendor in a cloud service actively manage, change, modernise, and enforce established controls?

Answers

Just as the issues above need to be dealt with, there are several aspects of cloud computing that can serve to reduce operational risk. Institutions need to evaluate vendors of cloud services through that lens as well and seek out those services that meet the below listed criteria as captured in the exhibit.

A single platform provides the leverage needed for efficient delivery of services. This essentially means using a multi-tenant solution instead of launching separate instances—all of which can have different configurations and thus, different costs. The single platform also reduces the chance that maintenance actions will create problems as unique instances invariably result in different configurations.

Continuous vendor upgrades is one of the key benefits from leading cloud services. Vendors must align their IT strategies to maintain the highest functionality and take advantage of new and emerging capabilities from the network to hardware, from to software to supporting tools.

Openness and standardisation reduces the cost and challenges of integration with other applications. Other outsourced services and in-house applications are easier to orchestrate because standard technologies and protocols are widely known. Institutions should seek out vendors that participate in the many cloud and industry workgroups that have been pursuing industry standards. This equates to a centre of excellence approach.

Backup, redundancy, and recovery capabilities are often much better designed and executed by vendors since they are central to their survival. Because they serve multiple clients, the ability to stay online with full functionality is planned with great care. Although each of these elements is critical for financial institutions, budget constraints in recent years have reduced the in-house investment in disaster recovery plans.

Continuous improvement is a competitive issue that cloud vendors cannot ignore. A financial institution meanwhile can work with the status quo for years, especially given that as much as 75% of IT budgets are spent on maintenance alone. Moreover, it is here where cloud services built specifically for the financial services industry can offer built-in compliance capabilities, a feature that will become a fundamental requirement of successful vendors given today’s regulatory environment.

Off-loading operational risk means that a cloud service provider does the same thing for multiple customers. Certainly, the institution remains accountable for operations, but because of their broader experience, vendor operations are under constant review for soundness and improvement.

Refreshing both questions and answers continuously is essentially a living Q&A process that incorporates the cloud vendor’s entire customer base. This affords a financial institution indirect access to the issues that every customer has and the benefits from the response of the vendor to its entire customer base. 

Conclusion

Spending on cloud computing will increase rapidly over the next four years, growing from $9 billion (USD) in 2011 to $27 billion by 2015. With the migration of cloud services into the core business of financial institutions, the need to reckon with the legitimate concerns that that the industry has is upon us. Risk should become the lens through which both vendors and institutions examine the value and soundness of any cloud service. The endgame is to clearly understand the ability to perform not just the service itself, but the issues that face financial institutions holistically, especially those that encompass a holistic view of operational risk.

This article is based on research by the Financial Services practice at TowerGroup, a leading research and advisory services firm focused exclusively on the global financial services industry. Rodney Nelsestuen can be reached at rnelsestuen@towergroup.com. Those interested in learning more about TowerGroup or subscribing to its research services may call +1.617.488.2000 or e-mail service-info@towergroup.com.