compliance in the cloud - opentext business network€¦ · operational risk is central to cloud...

Patty Hines, GXS

Director, Financial

Services Industry

Marketing

Compliance in the Cloud Raising the Bar in Financial Services

Rod Nelsestuen,

CEB TowerGroup

Senior Research Director,

Financial Services

2 © 2012 The Corporate Executive Board Company. All Rights Reserved.

Achieving High

Performance in

the Cloud Supply

Chain

Technology for

Assurance,

Insight &

Compliance

Creating

Seamless

Compliance in

the Cloud

Visibility &

Reducing

Operational Risk

in the Cloud

ROAD MAP FOR THE PRESENTATION

The business problem: The cloud lacks transparency and threatens performance through a diverse business model

FINANCIAL

INSTITUTION

International Payments

CRM

Sales Management

Financial Applications

Business Intelligence

AML SaaS

Fraud

HR and Accounting

Data quality, latency, security, and compliance at risk; financial institutions lack controls, information insight, and process transparency

Mash-ups

Source: TowerGroup

B to Bank Transactions

B to B Transactions

Outsourced Back Office


And it’s not just external: Virtualization and the rise of the private cloud creates data risk inside and outside the firewall

Hardware

Network

Desktop

Software

Storage

Operating System

Savings

Power savings

Cooling savings

Hardware savings

License savings

Space savings

People savings

Benefits

Resource flexibility

Backup, failover

Free up resources

Computing speed

Just-in-time IT

Monitor, react, adjust


Meanwhile the range of business needs for real time insight of indisputable quality has grown dramatically

Analytical (identify and solve a point problem, change/improve a function, accelerate a line of business)

Historical (sorting tribal knowledge from tribal myth)

Predictive (It’s about the future, stupid)

Compliance (Basel, Solvency, MiFiD)

Risk (market, credit, operational)

Customer/Market (CRM with profit)

Operational (process improvement, reengineering, cost reduction)

Performance (benchmarking and best practice measurement)

Enterprise (corporate performance management)


6

Achieving High

Performance in

the Cloud Supply

Chain

Technology for

Assurance,

Insight &

Compliance

Creating

Seamless

Compliance in

the Cloud

Visibility &

Reducing

Operational Risk

in the Cloud


© 2012 The Corporate Executive Board Company. All Rights Reserved.

Cloud computing expands sourcing for new IT products and services

Source: TowerGroup

1970 1985 2000 2004 2009 2015

Facilities and Data Center Management

General Outsourcing

Software as a Service

(SaaS)

Platform and Infrastructure as a Service

(P/IaaS)

Application Service Provider

(ASP),Managed Services, BPO

Expense Reports

Customer Relationship Management

Sales Management



Business Applications

Mash-ups On demand

Cloud Applications

Variable Intelligence

Business Technology as a Service

(TaaS)

HR and Accounting

Began with

reference data and market

research

Evolution from discrete services and parts of

processes to wholesale business operations

results in new data management challenges

Social Intelligence

Configure the

Business?


A strong business case for data assurance exists for strategic, customer, and transactional reasons

Mails

check

Malaysia

based MNC

Vietnam

based

supplier

P Payment

opportunity

Bank Regional

Service Center

Product

Inquiry

Global Fulfillment System

MNC has

new bank

product in

Europe

BI

New business

opportunity

Cross sell

opportunity

Source: CEB TowerGroup

Speed of decision is real time

Operational risk: at transaction, CRM, revenue, and business levels


And regulation is always key: July 2012 FFIEC guidance on data in the cloud (US institutions)

Guidance without specifics (in itself, an operational risk)

Data classification: How sensitive?

Data segregation: Shared resources?

Recoverability: DR/BCP?

Audit: Transparency?

Security: Human and IT elements?

Compliance: Knowledgeable vendor?

Source: FFIEC Information Technology Subcommittee, July 10, 2012



Achieving High

Performance in

the Cloud Supply

Chain

Technology for

Assurance,

Insight &

Compliance

Creating

Seamless

Compliance in

the Cloud

Visibility &

Reducing

Operational Risk

in the Cloud


Cloud business models evolve in step-and-halt fashion, increasing complexity and magnitude of operational risk

Mainstream Model

Emerging Concepts

Future Model

Real-time products

Crowd sourcing

Crowd casting

Cannibalism

Continuous experimentation, analytics

Stuff, services, data, space

Data-driven business

- Mixed with traditional approaches

to business

Clients develop product /service

- Conceive, configure launch

Virtual social segmentation

Behavioral business model

Transactions will still count

Space shuttle

“Time/mind shuttle”

Challenges

Inertia

Investment

FUD

Regulation



Solving the business problem of a diverse business model requires a central point of convergence

FINANCIAL

INSTITUTION

International Payments

CRM

Sales Management



AML SaaS

Fraud

HR and Accounting

Technology that examines data, ensures quality, compliance, & security, reports

thoroughly, and is completely transparent

Mash-ups

Source: TowerGroup

B to Bank Transactions

B to B Transactions

Outsourced Back Office

Vendor-managed solution



Achieving High

Performance in

the Cloud Supply

Chain

Technology for

Assurance,

Insight &

Compliance

Creating

Seamless

Compliance in

the Cloud

Visibility &

Reducing

Operational Risk

in the Cloud


Operational risk is central to cloud business models

Security is viewed holistically,

addressing technical, policy, and

human aspects.

Regulation is viewed from an

existing and anticipatory perspective.

Assurance refers to the continuous

availability of the cloud services

provided.

Performance entails meeting speed

and latency demands, which vary

greatly among industry segments.

Liability is the potential to be held

legally responsible for errors,

omissions, or wrongdoing that results

in monetary damages beyond actual

losses.

Operational risk overarches the

other categories of risk.

Operational Risk

Regulation

Assurance Performance

Security

Liability

All risk is ultimately operational

Source: TowerGroup


Operational risks and internal concerns over cloud computing: FSIs ask key questions

Issue Question

Cloud providers have people involved in technology support

What is your approach to making sure that the operations, which I no longer see, are sound and that I can trust not only the IT, but your company in general?

Governance changes when cloud computing mixes with traditional development

How can I bring your cloud service under my IT governance model?

Or, how do I change the model?

Intellectual capital is hard-won in financial services

What can you do to assure me that my IP will not be compromised or shared?

FSIs have sunk costs in IT How can I leverage the existing investment in IT along side your IT services?

The cloud threatens internal IT How do I avoid disintermediation of my IT architecture?

How do I manage business units that decide to use the cloud outside of IT?

Will cloud computing ultimately replace me?

Disintermediation of IT resources Rather than an add-on, doesn’t cloud computing just cannibalize my current IT environment?

Understanding the business is important for IT today

What level of domain expertise do you have and how can that help me serve my business units?


Evaluating and managing risks in cloud computing

Cloud Computing Issue Implications Potential Actions

Private clouds overcome

some of the angst over

security

But still a concern given that some business

units, lines of business, and even functions

(asset/liability management vs FX services vs

payments processing) must have separation

Track data authorization, data

movement, delivery, and deliver

enterprise reporting

Impact of new cross-industry

consumer protection

regulations

Expanded consumer protections include the

ability to know where information is, when it

has been accessed, processed, or changed,

and require increased security measures.

Non-compliance fines are growing

Consolidate the flow of data for

better visibility, controls, and

quality

Lack of universal agreement

on enterprise definition of

cloud computing

Creates a challenge to cloud computing as a

mainstream approach to IT and IT-enabled

services

Adopt standards-based definitions

and demand the same of vendors

Separate instances for

security versus multitenancy

for efficiency

Separate instances lose some of the cost

efficiencies of the multitenancy approach,

while new security standards for multitenancy

technologies continue to emerge

Focus on control, customization,

and optionality in deciding which

approach to take, observe security

model improvement

High profile data loss events

dampen enthusiasm for cloud

computing

Need to address data losses and

acknowledge problems, then solve them –

honesty is key

Create layered security model with

real time exception reporting


Cloud vendors are turning negatives to positives in managing transactional and data risk

Leverage a single data assurance

platform across all transactional

areas to reduce risk

Access continuous vendor

upgrades to security and

transaction assurance and visibility

Pursue technology that adheres to

global standards (and maybe

participates in setting them)

Vendors with domain expertise

extend the value of data beyond its

own worth to ease regulatory

compliance (Patriot Act in the US,

Data Protection rules in the EU)

Backup, redundancy, recovery

without dedicating internal

resources

State of the art, continuous

improvement in performance

Operational Risk

Regulation

Assurance Performance

Security

Liability

All risk is ultimately operational


The endgame: Managing the value of data goes beyond basic infrastructure

to knowing the data’s function, and applying domain expertise to get it right

Scalability

Analytics

Enterprise

data

Transaction

data

File transfer

Data

integration

Critical

messages

THROUGH ANY INTERFACE FROM ANY SOURCE

TO ANY USER FOR ANY PURPOSE

Expansive coverage that is expected from today’s business intelligence


Today’s data management requires a layered approach, one that every vendor must demonstrate

Vendor domain expertise

Vendor technical expertise

Vendor infrastructure reliability


Domain level: business purpose, value, compliance

Functional level: transaction, history, reporting

Infrastructure level: network performance, assurance, security



Conclusion

The cloud business model continues to grow and over

time will become a mainstream element of most business

operations

As the cloud grows, so does business complexity and the

challenge of managing more data from more sources for:

− Business value

− Regulatory compliance

Transparency and visibility provide the proof of

performance that is becoming ever more important

The best technology providers will augment their

solutions with business operational knowledge and

domain area expertise

| © 2012 GXS, Inc.

FFIEC: Outsourced Cloud Computing July 10, 2012

“When evaluating the feasibility of outsourcing to a

cloud-computing service provider, it is important to look

beyond potential benefits and to perform a thorough due

diligence and risk assessment of elements specific to

that service. Vendor management, information security,

audits, legal and regulatory compliance, and business

continuity planning are key elements of sound risk

management and risk mitigation controls for cloud

computing.”

| © 2012 GXS, Inc.

Mitigating Operational Risk

Market leading, experienced provider

Backup, redundancy, recovery

Controls and standardization

Continuous improvement,

agile development

Cloud options – private/hybrid cloud

Free up internal IT resources

Off-load complexity

Experience with global standards

| © 2012 GXS, Inc.

FFIEC: Outsourced Cloud Computing July 10, 2012

“Outsourcing to a cloud service provider can be

advantageous to financial institutions because

of potential benefits such as cost reduction,

flexibility, scalability, improved load balancing,

and speed.”

| © 2012 GXS, Inc.

Benefits of Cloud-Based Corporate-to- Bank Integration

Offers Scalability

& Flexibility

Simplifies

Connectivity

Provides End-to-

End Visibility

Improves

Collaboration

Simplifies

Integration Increases

Security

| © 2012 GXS, Inc.

Global Financial Services Outsourcing by Type of Service (2010–15P)

(USD in Billions) 2010–15P compound annual growth

rate for outsourcing nears 11%

Total spending on outsourcing rises

from $68 billion to $116 billion

− Outsourced cloud (public cloud)

growth from $2.35 billion to $10.8

billion

− Managed services from $6 billion

to $18.6 billion

− Infrastructure (ITO) from $19

billion to $27 billion

− ADM from $32 billion to $36

billion (cloud factor)

− BPO from $8 billion to $23 billion

(IT integration, KPO impact)

0

5

10

15

20

25

30

35

$40

2010 2011 2012 2013 2014 2015

Cloud Services Managed Services

Application (ADM) Business Process (BPO)

Infrastructure

Source: TowerGroup, Sourcing, Resourcing, or Outsourcing: Globalizing

Operations in Financial Services by 2015, Rodney Nelsestuen, #V68:02ALL, 07/18/11

| © 2012 GXS, Inc.

TowerGroup: A Surge in Managed Services

Larger FSIs will find this mode of outsourcing attractive to assure

standardization of a service with SLAs that can be adjusted as

business conditions change across the contract life cycle

Managed services will grow from $6 billion in 2010 to more than $18.5

billion by 2015, a 25% CAGR

The rapid growth rate will be driven in part by islands of expertise that

vendors are developing that will offer state-of-the-art technology and

industry-leading knowledge, coupled with expertise in compliance,

which will be attractive to FSIs faced with higher costs for in-house

services

The rate of growth of managed services will depend on the vendors'

ability to provide the transparency that FSIs need in the face of stiffer

regulations

Source: TowerGroup, Sourcing, Resourcing, or Outsourcing: Globalizing

Operations in Financial Services by 2015, Rodney Nelsestuen, #V68:02ALL, 07/18/11

| © 2012 GXS, Inc.

Visibility and Data Assurance in the Cloud

24x7 Support

Lifecycle Visibility

Tracking / Monitoring

Document Queries

Community Support

Problem Tracking

Issue Resolution

Global Support

Global Operations

Transaction Management

Mapping

Translation

TP Implementation

Event Mgmt

Business Rules

Reporting

Global Infrastructure

Message Brokering

Private Network

Communications

Secure Internet

Communications

GXS Managed Services

FINANCIAL

INSTITUTION

Payments

Foreign Exchange

Securities

Cash Management

Commercial Finance

Merchant Services

Group Benefits

Treasury

| © 2012 GXS, Inc.

Thank You and Q&A

Rod Nelsestuen,

CEB TowerGroup

Senior Research Director, Financial

Services

E-mail: [email protected]

@gxsfs

Patty Hines, CTP

GXS

Director, Financial Services

Industry Marketing

E-mail: [email protected]

https://twitter.com/

| © 2012 GXS, Inc.

Thank You for Your Participation! For More Information…

GXS web sites

US: www.gxs.com

EMEA: www.gxs.eu

ASPAC: www.gxs.asia.com

Japan: www.gxs.co.jp

Phones

US: 1-800-334-5669, option 3

EMEA: +44 (0) 1932 776047

ASPAC: +852 2884 6088

Japan: +81-3-5574-7545

compliance in the cloud - opentext business network€¦ · operational risk is central to cloud...

Documents