Our previous blog highlighted some of the key areas of regulatory focus and expectations when it comes to assessing and testing firms’ readiness to transition to the Cloud.
Regulators have made clear that, within the broader framework outlined in the EBA Guidelines, they will assess firms’ plans to outsource critical functions to the Cloud on a case-by-case basis. At the core of this assessment, regulators want assurance that firms have: (i) built a strong business case for their Cloud plans; (ii) understood the new or enhanced risks to themselves, the financial system and customers; and (iii) developed their capabilities to tackle these risks.
However, demonstrating this degree of assurance is challenging, particularly for systemically-important firms. Contrary to “Cloud natives” and FinTech start-ups which build their operations directly onto the Cloud from the outset, incumbents have been relying on a complex set of legacy systems and infrastructure for decades. Incumbents also offer more complex products and services, have a significantly larger customer base than their FinTech counterparts and are often integrated into the operation of payment, settlement and clearing systems. The difficulty for these larger players is therefore to design a Cloud strategy that enables them to migrate away from these legacy systems, and then operate on the Cloud securely, without affecting the continuity of services and products offered to customers, and without threatening the firm’s operational resilience.
However, the risk considerations should not eclipse the benefits that Cloud transformation can bring to firms. Given the precarious state of some FS firms’ legacy systems, moving to the Cloud can significantly improve firms’ efficiency and operational resilience1.
In this blog, we explore some of these challenges and the steps firms need to take to ensure that the business is ready to adopt the Cloud in a way that enables them to demonstrate their readiness to their Board and to regulators.
Key components of a successful Cloud engagement and adoption programme
For a successful Cloud engagement and adoption programme, firms should consider six key areas, highlighted in Figure 4, and apply them along the Cloud adoption timeline set out below and presented in more detail in our previous blog.
Below we explore each of these success criteria from a regulatory perspective. For a broader analysis of the key considerations for firms seeking to adopt the Cloud successfully and securely, please refer to the report by our Financial Services Technology team on the issue2.
Early engagement with regulators is critical, even before the Cloud adoption conversation is raised internally at Board level, and certainly well before the Go-Cloud decision phase. This engagement also needs to be maintained throughout the entire lifecycle of the Cloud strategy, through to the monitoring phase. At any one time, regulators will have a number of applications to deal with, and will need time to review, clarify and provide feedback on the plan. Early engagement allows firms to build regulatory considerations into the design and planning process and before contract negotiations begin in earnest with the CSPs. Importantly, firms should tailor their regulatory engagement strategy on a case-by-case basis, given that the risks are highly dependent on the function outsourced, especially if it is critical, and on the model adopted for outsourcing (refer to Blog 1).
In many areas, such as the quantum of regulatory capital or the degree of conservatism needed in internal models, there can be a strong difference in views between the regulator and the regulated about what the “right” outcome is. However, when it comes to migration to the Cloud, the interests of the regulator and the regulated should be more closely aligned. Indeed, while regulators approach the Cloud and the risks associated from a system-wide perspective, they also recognise the benefits that the technology can bring to the overall resilience of the financial sector. Therefore, a shift in “regulatory engagement mind-set” is key: firms need to consider how best to engage in a constructive dialogue, covering both the detailed technical risk and governance aspects of the Cloud programme, as well as presenting a clear, realistic timeline and budget for their Cloud programme.
While the cost and benefits of moving to the Cloud are a key driver of the business case, the ability to deliver business objectives (i.e. resilience of critical functions and continuity of business services) is also essential. A robust and long-term business case should therefore be established before embarking on the Cloud migration programme, and revised as and when needed along the programme’s lifecycle, through to the go-live stage.
The Board and senior management team, across all three lines of defence, should consider fully the business and regulatory risks. Understanding these risks will help programmes to design specific measures to ensure they are controlled.
A significant part of the business case focuses on the choice of CSP. Rather than defaulting to one of the largest providers, firms should carefully select CSPs that understand the FS industry and the regulatory requirements applicable to it, as well as the business needs and objectives of the outsourcing firm. At the earliest stage of the Cloud migration lifecycle, firms should engage in a collaborative relationship with CSPs and get to grips with the latter’s strategy and service roadmap. That is, ensure that the CSPs’ future projects are broadly aligned with the firm’s Cloud and business objectives, in order to prevent the need to change CSPs or face vendor lock-in a few years down the line.
Establishing a clear timeline for the Cloud programme should also be a key component of the business case, particularly at the point of regulatory engagement, for firms to show to regulators the extent to which their Cloud strategy has been thought through as part of their longer-term operational transformation plans.
Developing the appropriate skills and capability across the three lines of defence, across business teams and at Board and senior management level is essential. This implies being proactive about recruiting people with the relevant skills, and also training the relevant staff within the firm, including at Board level, on the key benefits and risks associated with Cloud outsourcing and the shared responsibility model. Getting the Board up-to-speed will be particular important as the new Cloud environment will significantly affect the internal dynamics and operations within the firm, across the whole business.
The need to have relevant skills and expertise is even more critical at the points of testing and designing robust risk management controls and tests of the Cloud programme. This will be key for firms to demonstrate to regulators their preparedness and the robustness of their risk and control environment before going live and afterwards.
Beyond the Cloud migration process per se, Cloud computing also enables new, Agile3 ways of working as staff are provided with new tools to enable them to take advantage of Cloud features, and can enable a reduction in headcount, given that the CSP can take over certain tasks previously undertaken by firms’ own staff. However, regulators and supervisors will also want to ensure that firms maintain the appropriate number of staff with the relevant skills to oversee the Cloud programme and deploy contingency plans whenever necessary.
A governance framework with three distinct and separate lines of defence and IT issues dealt with in silos may not work in a Cloud environment. In the absence of robust and tailored Cloud governance, firms run the risk of: (i) implementing a Cloud strategy that is not suited to the needs of the business; (ii) not being able to supervise Cloud outsourcing arrangements across the business, including for regulatory purposes (e.g. reporting); and (iii) not being able to address the risks effectively in case of a failure or IT outage at the CSP level. Firms’ legacy environment may also prevent them from leveraging the benefits of new ways of working (e.g. Agile, DevOps4) enabled by the adoption of a Cloud service.
From the Go-Cloud decision stage, through to programme initiation and beyond, firms need to ensure that Cloud deployment is within their risk appetite, and that risks can be rapidly escalated and explained to the Board. This will require, from the onset of the Cloud migration programme, defining responsibilities clearly across different teams, and assigning accountabilities accordingly for regulatory purposes. This will also require the first line of defence to have the appropriate level of skills and understanding of the Cloud programme deployed throughout the firm to respond to risks effectively and in a timely manner.
Cloud adoption brings with it significant non-financial and operational resilience risks, which the Risk Function must assess carefully. Chief Risk Officers should therefore have a robust understanding of their firm’s Cloud strategy, be engaged at a more strategic level and accept that they will be held accountable for understanding the risks, and questioned, including by regulators, in a more intrusive manner. In our view, regulators expect Risk Functions to consider technology resilience as a key part of their portfolio.
A review of firms’ risk management frameworks is needed to adapt them to the new Cloud strategy. Cloud touches all aspects of the business, from vendor management through to identity and access management, and risks need to be assessed for the extent to which they affect various parts of the business.
Firms should not rely solely on the risk and control reports which the vendor provides but should perform the same risk mitigation activities as they would for any other service provider. In particular, firms should obtain their own assurance that an adequate plan can be implemented in case of an adverse event, and should have disaster recovery strategies to keep operating at a minimum level of services if their CSP(s) were to fail. A key part of an efficient disaster recovery strategy should focus on developing capabilities to transfer activities back in-house whenever and for as long as necessary. Another way to manage supplier risk is to use open standards or non-proprietary applications which can be easily transferred to other CSPs. Some firms have opted for splitting activities across various CSPs, so that services such as data storage, communications and computing can quickly be moved from one CSP to another5.
To obtain this on-going assurance from CSPs, the Audit and Risk Functions need to be involved from the outset to test the robustness of the arrangements with CSPs and to obtain relevant assurance from the CSPs and business teams where resilience responsibilities are shared. Additionally, firms need to build a holistic end-to-end risk assessment framework with input from both technical and business teams.
Importantly, there should be a clear allocation of ownership within the business for control implementation and the design of the risk and control framework. This too will contribute to firms making a strong business case to the regulator as to the robustness of their capabilities and their preparedness to implement their Cloud strategy.
As part of any Cloud arrangements, a clear and robust exit plan from the CSP contract needs to be drawn up at the start. Well before signing their contracts with CSPs, firms should know the modalities of exiting their arrangements with CSPs, including the back-up plans needed to mitigate any risks associated with switching to alternative CSPs or bringing activities back in-house.
Our experience of client projects has revealed that, given the scope of integration between the firm and the CSP, the process to exit fully a CSP’s services usually takes much longer than what is allowed for in the usual contractual terms determined by the provider (30-60 days). Therefore, when negotiating the contract with the chosen CSP, firms should focus on assessing the time needed for them to exit the CSP fully, and agree in the contract a bespoke deadline after which the CSP will stop providing its services, in a way that does not lock-in or affect the business continuity of the firm.
From the outset of designing their Cloud strategy, firms should also think about the extent to which their applications use unique proprietary components, how easily these applications can be transferred to alternative CSPs, and monitor the availability of such applications in the market to anticipate lock-in risks early enough.
Conclusion: the need for a cultural and skill shift
Cloud adoption and migration are here to stay and grow. We are only at the early stages.
Successful Cloud adoption is critical, not only to cost cost-effectiveness, but also to reduce firms’ risks associated with the maintenance of complex legacy IT environments, and enable them to leverage the power of Big Data and other technologies such as AI to offer more bespoke, tailored products to their customers.
Regulators, having been cautious, some would argue even hostile, to Cloud adoption/migration, are becoming more positive, at least in some countries.
Firms can help overcome some of this regulatory caution by demonstrating that they have fully thought through their Cloud migration programme. That is, they should have assessed the risks of migrating to the Cloud, and developed the appropriate governance and risk and control frameworks to tackle these risks and operate on the Cloud securely in the long term. In our view, some firms have brought problems, and delays, on themselves by not engaging with regulators effectively and not dealing with the risks comprehensively.
But ultimately regulators will be concerned about the system-wide risk in a way that individual firms and their Boards will not be. The best that individual FS firms can do to alleviate or mitigate this is to demonstrate to regulators that they have put their own house in order. Thinking through the considerations set out in this blog series will help them do this.
1 Refer to the BoE’s response to the Future of Finance report (link here).
2 Refer to Deloitte Report (2019): “Getting Cloud right: How can banks stay ahead of the curve?” (link here).
3 Agile has roots in accelerated software development and has evolved as more processes move into a “digital first” model of operation for businesses and teams. At the core is a set of ways of working for transformation and business teams, using methodologies that differ significantly from a traditional planned “Waterfall” task delivery; with more emphasis on individuals and interactions between specialists, early access to real prototypes, iterative requirements with customer collaboration, flexibility, speed and responsiveness to change.
4 DevOps is a software delivery approach, culture, or practice that brings development teams and other IT stakeholders together to achieve a common business goal of delivering work faster while maintaining excellence in quality (Deloitte report, 2017, link here).