×

Externalizing our data? You must be joking. 

When I was a young project manager in a small but famous finance house, about 25 years ago, I once dared to pretend that risk management operations and applications would be standardized in the future – and therefore, possibly, also externalized. Everyone in the room appreciated my joke or what they considered to be a joke. 

A couple of years later, being responsible for the regulatory reporting IT as well as some key risk management systems of a large European bank, one of my tasks was to facilitate the first ever move of the bank’s infrastructure to outsourcing partners, including large infrastructure management companies. And this, remarkably, was at the beginning of the 2000s. 

I remember when I met a very famous founder of one of the largest risk management companies at that time at a conference in Vienna. I got strong support from him while I was being bashed by conference participants for saying that in the future, risk calculations and data storage would certainly be externalized. 

Now, almost 20 years later, the world has obviously discovered the multiple and indisputable benefits of cloud, regulatory reporting hubs and shared risk pools. However, there are still a large number of organizations remaining heavily reluctant to this type of change – or at least until last year.  

By the way, it was not only a reluctancy to cloud, but also Work from Home and many other emerging operating models. 

And then came COVID. 

Are you focussing on your core capabilities, or rather, trying to play with fire? 

It is interesting to note that in almost any industry but banking, insurance and financial services, the acceptance for cloud has been remarkable over the last couples of years. More than 95 percent of the projects I was involved in over the last three years were cloud based and not on premises. 

But for some reasons unbeknown to me, the financial industry was still cloud shy. Why? I suspect because most of the data that banking, financial services and insurance companies (BFSIs) process is customer data. So, if you shift and process millions of records about plant and production information, nobody will probably care. But if you externalize one single record with personal data or account data of one of your customers, this will be a very different topic. 

Now, having been a banker for 15 years, I just wonder, “What should be my core capability – as a banker – and why should I be a better infrastructure manager compared to dedicated infrastructure managers?” 

I have seen so many issues over the last couple of years with BFSI homegrown infrastructure, that I would be extremely reluctant today NOT to go for the cloud. Why? 

  • Skills and resources challenges. Infrastructure skills are not often not available (from database to middleware management, infosec, etc). 
  • Skills uplift/update for key resources on infrastructure side. Due to ever-changing standards and increasing requirements, such uplift effort and costs are reasonable for an infrastructure manager, but maybe not for the IT department of a tier 2/tier 3 bank. 
  • If any resources with such skills are supposed to be available, continuous bottlenecks exist due to the fact that such resources are not freely available, or there are missing skills, or no backup/deputy, etc. As a result, in a recent project I was in, it took months – instead of days – to get just a simple sandbox up and running. 
  • Homecooked solutions can be very risky, such as using UAT environments for BCP purposes when there is no suitable synchronization in place to reduce replication costs. 
  • Substantial bottlenecks for timely infrastructure upgrades exist when required for business purposes. In some cases, it took over 20 weeks to get such an upgrade. 
  • A further example was raised to me by one of my customers. “Chris,” he said,  
  • “This is about accountability. I can settle very strong SLAs with external vendors. And then I will incur very high penalties in case of failure, which will include service credits, etc.” 
  • But how could I do this with my own IT? Is Department A of the bank going to sue Department B for suitable damage compensation? That just does not work. 

 
Cloud: tackling the risks 

So, what are the cloud benefits on the other side? Obviously, there are plenty of marketing brochures on the topic, but I’d like to focus on the real benefits reported by my customers.

  • First of all, cloud compliance is easy to manage. Clearly identified standards, certifications, PenTesting and IDMS etc. It’s easy to prove with a top cloud provider that you meet highest possible standards. Doing the same due diligence with your homegrown IT will be much more expensive and time consuming. 
  • High skilled, continuously available, trained and redundant at any time. You do not need to bother about a vacation or training/certification plan. And these should be required in all domains: application, middleware, database, monitoring, performance tuning and deployment, etc. 
  • High performance and scalability standards immediately available at lower costs including full redundancy and failover solutions instead of compromising your UAT and production environments.  
  • Full scalability through full virtualization allows you to change environment parameters within minutes, without touching any infrastructure component. For instance, adding 50 percent more RAM and CPU to your production environment in order to support a substantial number of additional users to support a rollout in new regions. 
  • Clear SLAs, including penalties, service credits, and whatever you need, to feel more confident. 
  • And you may notice, I didn’t even mention economies of scale – so there’s the cost factor. One customer said, “Well, if I look at the cloud invoice, it’s simple and very clear. If I compare it to my internal IT calculation, the difference is all those hidden costs we have internally.” 
  • By the way, no cloud operator will see your data. It’s fully encrypted, and you as the customer, manage the encryption keys. And not only is the database encrypted but also the data transfer. 
  • So, I suspect some institutions should consider securing the USB ports and HDD drives of their desktop machines rather than claim the cloud is not safe. 

Since the beginning of the COVID crisis, many organizations have questioned their own infrastructure capability WRT practicability, costs and efficiency.  

And finally, the result is in. Yes, as I am writing these lines, even the most conservative organizations in Europe are now moving to the cloud. We see this with large Europe-based international organizations, and with leading financial institutions, including banks. Even in Switzerland, which has been a rather cloud adverse environment, the market is now massively adopting the new Swiss cloud with servers in Zurich and Geneva.  

Bottomline:  To be in the cloud – or not to be – that is the question. 

To paraphrase, at the end of the day, you will not only be judged for the things you did but also for all those you did not dare to do. 

The paradigm shift is fairly simple:  From now on,  reputational and operational risks are coming less from being on a fully safe and secure cloud – as many of your competitors – but more from the fact if you stick to old fashioned and risky operating models. 

Dear friends, wherever you are, please stay safe and healthy! 

About the author:

Chris Lesieur brings over 30 years’ experience in the design, implementation, management and monitoring of Governance, Risk and Compliance systems and solutions - gathered across multiple domains and industries - Banking, Insurance, Retail, Chemical, Pharmaceutical, Manufacturing, CPG, Aerospace, Automotive, Utilities & Military.