Cloud services in a disruptive business environment - the financial sector

IT is continuously changing – within IT, cloud services have emerged and matured, to such a degree, that they can no longer be dismissed as an option for organizations within the financial sector. The opportunities are immense and handled wisely Cloud services will balance the operational risks.

Risk management is a critical and basic process for organizations in the financial sector, especially with the ’EBA Guidelines on Internal Governance‘, also called GL 44, outlining the importance of proper Governance over IT and Security, as it states that “Internal governance also encompasses sound IT systems, outsourcing arrangements and business continuity management”.

Now what does that really mean? You could say business as usual for an organization with an organizational structure that manage internal controls in a proactive manner. In addition to proper access management and change management processes, thorough business continuity plans with necessary tests, also if you conduct 3rd party audits on a regular basis for your outsourcing providers, it is all in place. Unfortunately, that is not a reality for most organization, due to mergers and acquisitions, changes to the organizational structure and other distractors.

Outsourcing in the financial sector is also common practice but with Cloud Services, the methods used to manage operational risks change. To some extent there is no difference, but in reality there is, because the possibility to control the IT environment is different. In traditional outsourcing arrangement, you may ensure compliance with your requirements via a third party audit using SSAE 16 (formerly SAS 70) attestation, for cloud services, commonly you don’t have the same possibility in tailoring your requirements, as you only use the service without any information about the underlying details; especially when the Cloud Service is highly standardized and the provider is not available for a third party audit. This is a huge difference that will enforce you to govern operational risks in other ways, as well as compliance with legislation and regulations.

In handling this new situation, you need to take a strategic approach, you should still consider a third party audit using SSAE 16 attestation, especially if you are used to it. An alternative you should take into account, is using service providers certified according to both ISO/IEC 20001 (IT Service Management) and ISO/IEC 27001 (Information security), because together they will cover the key aspects of internal controls, the certificate require them to audit their internal procedures to maintain their certificate. Also consider an Enterprise Risk Management (ERM) approach with the combination of COSO and COBIT frameworks, because of their strength within internal controls; though this will require some kind of a third party audit but it does not have to be as extensive as the SSAE16 attestation.

Taking it one step further you need to seek advice to identify what fits with your organization, with a thorough analysis of cost/benefit versus operational risks. Cloud services could end up as an attractive alternative in a disruptive business environment.

John Wallhoff
Senior Manager
3gamma
john.wallhoff@3gamma.com