Bridge has partnered with Mark Zanon, specialist consultant who advises superannuation funds on meeting their obligations, to investigate the consequences to funds on moving IT to the Cloud. This is based on Mark’s experience in addressing APRA requirements and recent engagements completed by Bridge to assist funds in moving their IT infrastructure to the cloud.
It seems like everyone is moving to the cloud, or at least talking about it. Unfortunately the term “cloud computing” is both misunderstood and misused.
What is Cloud Computing?
The financial services prudential regulator APRA, defines cloud computing loosely as “a delivery model where dedicated or shared IT assets (software, hardware and data/information) are consumed as a service. This can comprise the provision of IT assets by a third party located offshore”.1
That’s quite general and it might not be the best way to explain the benefits of the cloud to a group such as the board of a superannuation fund. It will be more meaningful to describe some general characteristics:
With the modern and sophisticated nature of cloud computing systems, there are a number of misconceptions that, should they persist, can lead to uninformed decisions being made:
As an example, trustee and compliance reporting applications commonly utilise the
Managing APRA’s Expectations
All regulated entities’ licence conditions state they must advise the regulator of outsourcing of any ‘material business activities’. This includes activities, which if disrupted, have the potential to cause a significant impact on business operations or risk management. Depending on the significance of IT applications impacted, a move to cloud computing may fall under this definition.
There is an expectation from the regulator that detailed risk assessments be undertaken covering:
Your IT governance framework should contain a cloud strategy and appropriate risk management measures in alignment with APRA’s standards and guidelines around due diligence in these areas.
Apply This to Your Cloud Strategy
Build your cloud risk management strategy to manage the relevant risk types per above.
Share these with your cloud suppliers and hold them to the same standards and diligence as the regulator will hold you. Measure their performance and manage your risks.
Share these with APRA. Engage regularly with the regulator especially on any intent to outsource or move to the cloud. Ensure a board-approved outsourcing policy is in place.
APRA is Embracing the Cloud
While the APRA standards and guidelines are complex, they lack a specific cloud reference. Thus understanding their intent should form the basis for your IT risk framework around cloud services.
Sound governance and risk management is essential for any business or technology solution. Why not utilise APRA’s requirements to help manage cloud risks. It’s simply good practice!
1 APRA’s ‘Letter to Industry – Outsourcing and Offshoring’ 15 Nov 2010