compliance in the cloud - opentext business network · patty hines, gxs director, financial...
TRANSCRIPT
Patty Hines, GXS
Director, Financial
Services Industry
Marketing
Compliance in the Cloud Raising the Bar in Financial Services
Rod Nelsestuen,
CEB TowerGroup
Senior Research Director,
Financial Services
2 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Achieving High
Performance in
the Cloud Supply
Chain
Technology for
Assurance,
Insight &
Compliance
Creating
Seamless
Compliance in
the Cloud
Visibility &
Reducing
Operational Risk
in the Cloud
ROAD MAP FOR THE PRESENTATION
The business problem: The cloud lacks transparency and threatens performance through a diverse business model
FINANCIAL
INSTITUTION
International Payments
CRM
Sales Management
Financial Applications
Business Intelligence
AML SaaS
Fraud
HR and Accounting
Data quality, latency, security, and compliance at risk; financial institutions lack controls, information insight, and process transparency
Mash-ups
Source: TowerGroup
B to Bank Transactions
B to B Transactions
Outsourced Back Office
3 © 2012 The Corporate Executive Board Company. All Rights Reserved.
And it’s not just external: Virtualization and the rise of the private cloud creates data risk inside and outside the firewall
Hardware
Network
Desktop
Software
Storage
Operating System
Savings
Power savings
Cooling savings
Hardware savings
License savings
Space savings
People savings
Benefits
Resource flexibility
Backup, failover
Free up resources
Computing speed
Just-in-time IT
Monitor, react, adjust
4 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Meanwhile the range of business needs for real time insight of indisputable quality has grown dramatically
Analytical (identify and solve a point problem, change/improve a function, accelerate a line of business)
Historical (sorting tribal knowledge from tribal myth)
Predictive (It’s about the future, stupid)
Compliance (Basel, Solvency, MiFiD)
Risk (market, credit, operational)
Customer/Market (CRM with profit)
Operational (process improvement, reengineering, cost reduction)
Performance (benchmarking and best practice measurement)
Enterprise (corporate performance management)
5 © 2012 The Corporate Executive Board Company. All Rights Reserved.
6
Achieving High
Performance in
the Cloud Supply
Chain
Technology for
Assurance,
Insight &
Compliance
Creating
Seamless
Compliance in
the Cloud
Visibility &
Reducing
Operational Risk
in the Cloud
ROAD MAP FOR THE PRESENTATION
© 2012 The Corporate Executive Board Company. All Rights Reserved.
Cloud computing expands sourcing for new IT products and services
Source: TowerGroup
1970 1985 2000 2004 2009 2015
Facilities and Data Center Management
General Outsourcing
Software as a Service
(SaaS)
Platform and Infrastructure as a Service
(P/IaaS)
Application Service Provider
(ASP),Managed Services, BPO
Expense Reports
Customer Relationship Management
Sales Management
Financial Applications
Business Intelligence
Business Applications
Mash-ups On demand
Cloud Applications
Variable Intelligence
Business Technology as a Service
(TaaS)
HR and Accounting
Began with
reference data and market
research
Evolution from discrete services and parts of
processes to wholesale business operations
results in new data management challenges
Social Intelligence
Configure the
Business?
7 © 2012 The Corporate Executive Board Company. All Rights Reserved.
A strong business case for data assurance exists for strategic, customer, and transactional reasons
Mails
check
Malaysia
based MNC
Vietnam
based
supplier
P Payment
opportunity
Bank Regional
Service Center
Product
Inquiry
Global Fulfillment System
MNC has
new bank
product in
Europe
BI
New business
opportunity
Cross sell
opportunity
Source: CEB TowerGroup
Speed of decision is real time
Operational risk: at transaction, CRM, revenue, and business levels
8 © 2012 The Corporate Executive Board Company. All Rights Reserved.
And regulation is always key: July 2012 FFIEC guidance on data in the cloud (US institutions)
Guidance without specifics (in itself, an operational risk)
Data classification: How sensitive?
Data segregation: Shared resources?
Recoverability: DR/BCP?
Audit: Transparency?
Security: Human and IT elements?
Compliance: Knowledgeable vendor?
Source: FFIEC Information Technology Subcommittee, July 10, 2012
9 © 2012 The Corporate Executive Board Company. All Rights Reserved.
10 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Achieving High
Performance in
the Cloud Supply
Chain
Technology for
Assurance,
Insight &
Compliance
Creating
Seamless
Compliance in
the Cloud
Visibility &
Reducing
Operational Risk
in the Cloud
ROAD MAP FOR THE PRESENTATION
Cloud business models evolve in step-and-halt fashion, increasing complexity and magnitude of operational risk
Mainstream Model
Emerging Concepts
Future Model
Real-time products
Crowd sourcing
Crowd casting
Cannibalism
Continuous experimentation, analytics
Stuff, services, data, space
Data-driven business
- Mixed with traditional approaches
to business
Clients develop product /service
- Conceive, configure launch
Virtual social segmentation
Behavioral business model
Transactions will still count
Space shuttle
“Time/mind shuttle”
Challenges
Inertia
Investment
FUD
Regulation
Source: CEB TowerGroup
11 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Solving the business problem of a diverse business model requires a central point of convergence
FINANCIAL
INSTITUTION
International Payments
CRM
Sales Management
Financial Applications
Business Intelligence
AML SaaS
Fraud
HR and Accounting
Technology that examines data, ensures quality, compliance, & security, reports
thoroughly, and is completely transparent
Mash-ups
Source: TowerGroup
B to Bank Transactions
B to B Transactions
Outsourced Back Office
Vendor-managed solution
12 © 2012 The Corporate Executive Board Company. All Rights Reserved.
13 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Achieving High
Performance in
the Cloud Supply
Chain
Technology for
Assurance,
Insight &
Compliance
Creating
Seamless
Compliance in
the Cloud
Visibility &
Reducing
Operational Risk
in the Cloud
ROAD MAP FOR THE PRESENTATION
Operational risk is central to cloud business models
Security is viewed holistically,
addressing technical, policy, and
human aspects.
Regulation is viewed from an
existing and anticipatory perspective.
Assurance refers to the continuous
availability of the cloud services
provided.
Performance entails meeting speed
and latency demands, which vary
greatly among industry segments.
Liability is the potential to be held
legally responsible for errors,
omissions, or wrongdoing that results
in monetary damages beyond actual
losses.
Operational risk overarches the
other categories of risk.
Operational Risk
Regulation
Assurance Performance
Security
Liability
All risk is ultimately operational
Source: TowerGroup
14 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Operational risks and internal concerns over cloud computing: FSIs ask key questions
Issue Question
Cloud providers have people involved in technology support
What is your approach to making sure that the operations, which I no longer see, are sound and that I can trust not only the IT, but your company in general?
Governance changes when cloud computing mixes with traditional development
How can I bring your cloud service under my IT governance model?
Or, how do I change the model?
Intellectual capital is hard-won in financial services
What can you do to assure me that my IP will not be compromised or shared?
FSIs have sunk costs in IT How can I leverage the existing investment in IT along side your IT services?
The cloud threatens internal IT How do I avoid disintermediation of my IT architecture?
How do I manage business units that decide to use the cloud outside of IT?
Will cloud computing ultimately replace me?
Disintermediation of IT resources Rather than an add-on, doesn’t cloud computing just cannibalize my current IT environment?
Understanding the business is important for IT today
What level of domain expertise do you have and how can that help me serve my business units?
15 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Evaluating and managing risks in cloud computing
Cloud Computing Issue Implications Potential Actions
Private clouds overcome
some of the angst over
security
But still a concern given that some business
units, lines of business, and even functions
(asset/liability management vs FX services vs
payments processing) must have separation
Track data authorization, data
movement, delivery, and deliver
enterprise reporting
Impact of new cross-industry
consumer protection
regulations
Expanded consumer protections include the
ability to know where information is, when it
has been accessed, processed, or changed,
and require increased security measures.
Non-compliance fines are growing
Consolidate the flow of data for
better visibility, controls, and
quality
Lack of universal agreement
on enterprise definition of
cloud computing
Creates a challenge to cloud computing as a
mainstream approach to IT and IT-enabled
services
Adopt standards-based definitions
and demand the same of vendors
Separate instances for
security versus multitenancy
for efficiency
Separate instances lose some of the cost
efficiencies of the multitenancy approach,
while new security standards for multitenancy
technologies continue to emerge
Focus on control, customization,
and optionality in deciding which
approach to take, observe security
model improvement
High profile data loss events
dampen enthusiasm for cloud
computing
Need to address data losses and
acknowledge problems, then solve them –
honesty is key
Create layered security model with
real time exception reporting
16 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Cloud vendors are turning negatives to positives in managing transactional and data risk
Leverage a single data assurance
platform across all transactional
areas to reduce risk
Access continuous vendor
upgrades to security and
transaction assurance and visibility
Pursue technology that adheres to
global standards (and maybe
participates in setting them)
Vendors with domain expertise
extend the value of data beyond its
own worth to ease regulatory
compliance (Patriot Act in the US,
Data Protection rules in the EU)
Backup, redundancy, recovery
without dedicating internal
resources
State of the art, continuous
improvement in performance
Operational Risk
Regulation
Assurance Performance
Security
Liability
All risk is ultimately operational
17 © 2012 The Corporate Executive Board Company. All Rights Reserved.
The endgame: Managing the value of data goes beyond basic infrastructure
to knowing the data’s function, and applying domain expertise to get it right
Scalability
Analytics
Enterprise
data
Transaction
data
File transfer
Data
integration
Critical
messages
THROUGH ANY INTERFACE FROM ANY SOURCE
TO ANY USER FOR ANY PURPOSE
Expansive coverage that is expected from today’s business intelligence
18 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Today’s data management requires a layered approach, one that every vendor must demonstrate
Vendor domain expertise
Vendor technical expertise
Vendor infrastructure reliability
Source: CEB TowerGroup
Domain level: business purpose, value, compliance
Functional level: transaction, history, reporting
Infrastructure level: network performance, assurance, security
19 © 2012 The Corporate Executive Board Company. All Rights Reserved.
20 © 2012 The Corporate Executive Board Company. All Rights Reserved.
Conclusion
The cloud business model continues to grow and over
time will become a mainstream element of most business
operations
As the cloud grows, so does business complexity and the
challenge of managing more data from more sources for:
− Business value
− Regulatory compliance
Transparency and visibility provide the proof of
performance that is becoming ever more important
The best technology providers will augment their
solutions with business operational knowledge and
domain area expertise
Slide 21 | © 2012 GXS, Inc.
Visibility & Reducing Operational Risk in the Cloud Outsourcing, SaaS and Cloud
Slide 22 | © 2012 GXS, Inc.
FFIEC: Outsourced Cloud Computing July 10, 2012
“When evaluating the feasibility of outsourcing to a
cloud-computing service provider, it is important to look
beyond potential benefits and to perform a thorough due
diligence and risk assessment of elements specific to
that service. Vendor management, information security,
audits, legal and regulatory compliance, and business
continuity planning are key elements of sound risk
management and risk mitigation controls for cloud
computing.”
Slide 23 | © 2012 GXS, Inc.
Mitigating Operational Risk
Market leading, experienced provider
Backup, redundancy, recovery
Controls and standardization
Continuous improvement,
agile development
Cloud options – private/hybrid cloud
Free up internal IT resources
Off-load complexity
Experience with global standards
Slide 24 | © 2012 GXS, Inc.
FFIEC: Outsourced Cloud Computing July 10, 2012
“Outsourcing to a cloud service provider can be
advantageous to financial institutions because
of potential benefits such as cost reduction,
flexibility, scalability, improved load balancing,
and speed.”
Slide 25 | © 2012 GXS, Inc.
Benefits of Cloud-Based Corporate-to- Bank Integration
Offers Scalability
& Flexibility
Simplifies
Connectivity
Provides End-to-
End Visibility
Improves
Collaboration
Simplifies
Integration Increases
Security
Slide 26 | © 2012 GXS, Inc.
Global Financial Services Outsourcing by Type of Service (2010–15P)
(USD in Billions) 2010–15P compound annual growth
rate for outsourcing nears 11%
Total spending on outsourcing rises
from $68 billion to $116 billion
− Outsourced cloud (public cloud)
growth from $2.35 billion to $10.8
billion
− Managed services from $6 billion
to $18.6 billion
− Infrastructure (ITO) from $19
billion to $27 billion
− ADM from $32 billion to $36
billion (cloud factor)
− BPO from $8 billion to $23 billion
(IT integration, KPO impact)
0
5
10
15
20
25
30
35
$40
2010 2011 2012 2013 2014 2015
Cloud Services Managed Services
Application (ADM) Business Process (BPO)
Infrastructure
Source: TowerGroup, Sourcing, Resourcing, or Outsourcing: Globalizing
Operations in Financial Services by 2015, Rodney Nelsestuen, #V68:02ALL, 07/18/11
Slide 27 | © 2012 GXS, Inc.
TowerGroup: A Surge in Managed Services
Larger FSIs will find this mode of outsourcing attractive to assure
standardization of a service with SLAs that can be adjusted as
business conditions change across the contract life cycle
Managed services will grow from $6 billion in 2010 to more than $18.5
billion by 2015, a 25% CAGR
The rapid growth rate will be driven in part by islands of expertise that
vendors are developing that will offer state-of-the-art technology and
industry-leading knowledge, coupled with expertise in compliance,
which will be attractive to FSIs faced with higher costs for in-house
services
The rate of growth of managed services will depend on the vendors'
ability to provide the transparency that FSIs need in the face of stiffer
regulations
Source: TowerGroup, Sourcing, Resourcing, or Outsourcing: Globalizing
Operations in Financial Services by 2015, Rodney Nelsestuen, #V68:02ALL, 07/18/11
Slide 28 | © 2012 GXS, Inc.
Visibility and Data Assurance in the Cloud
24x7 Support
Lifecycle Visibility
Tracking / Monitoring
Document Queries
Community Support
Problem Tracking
Issue Resolution
Global Support
Global Operations
Transaction Management
Mapping
Translation
TP Implementation
Event Mgmt
Business Rules
Reporting
Global Infrastructure
Message Brokering
Private Network
Communications
Secure Internet
Communications
GXS Managed Services
FINANCIAL
INSTITUTION
Payments
Foreign Exchange
Securities
Cash Management
Commercial Finance
Merchant Services
Group Benefits
Treasury
Slide 29 | © 2012 GXS, Inc.
Thank You and Q&A
Rod Nelsestuen,
CEB TowerGroup
Senior Research Director, Financial
Services
E-mail: [email protected]
@gxsfs
Patty Hines, CTP
GXS
Director, Financial Services
Industry Marketing
E-mail: [email protected]
Slide 30 | © 2012 GXS, Inc.
Thank You for Your Participation! For More Information…
GXS web sites
US: www.gxs.com
EMEA: www.gxs.eu
ASPAC: www.gxs.asia.com
Japan: www.gxs.co.jp
Phones
US: 1-800-334-5669, option 3
EMEA: +44 (0) 1932 776047
ASPAC: +852 2884 6088
Japan: +81-3-5574-7545