As firms navigate the requirements to meet regulations on outsourcing and third-party risk management, a significant number of challenges have been encountered across the regulated industry. This is especially true when adhering to the guidance on outsourcing to the cloud. This article dives into the main challenges organisations face, Wavestone’s recommended approach for thorough testing of cloud exit plans, and a view into what the future could hold for the cloud.
First challenge: Exit plan testing
A crucial element to an exit strategy is the need to develop, test, and implement comprehensive exit plans.
Much of the detail on exit plan testing is left to the regulated institutions to determine what is appropriate, in order to meet the expected outcomes. This has created a rather vexing problem for organisations right now: what needs to be tested? and when to test?
Exit planning can be a complex affair, but it does not need to be. To avoid getting into a ‘Gordian knot’ over testing, it is important to understand the intent of the exit planning requirements and focus on a ‘risk-based’ approach to exit strategy planning and testing, that is proportionate to the materiality and criticality of the services being provided.
Language and intent are important, and some organisations are struggling to understand where the parameters for testing are set i.e. how granular and deep do you go? When testing your exit plan, a central tenet is to test the effectiveness of the plan in order to fulfil the objectives set within your exit strategy. Regulators’ use of certain words, such as, ‘proportionate’ and ‘sufficient’ might appear challenging to translate and implement within the internal environment – but this does not need to be – if the context and outcomes are fully understood.
Wavestone advocates taking a ‘risk-based’ approach that requires companies to:
- Identify and anticipate possible risks associated with exit
- Implement proportional approaches that test the viability of the exit plan, exit components, so that it is actionable when necessary
- Carry out risk assessments and business impacts considerations, and define appropriate testing scenarios
- Ensure your cloud platform provides multiple instances for production, testing, and development
- Walk-through the future state, cloud migration plan, and validate the costs
- Check the availability of resources identified in the plan
- Above all, ensure that there is a repeatable exit lifecycle
Second challenge: Service outages
Organisations are increasingly adopting cloud computing for the various advantages it unlocks and the convenience it provides. Due to the high barriers to entry, there are a few cloud providers with a large share of the market, leading businesses to procure most of their services from one provider. Therefore, any disruption to the cloud provider services can become detrimental to a business.
In some cases, outages can cause serious disruptions to organisations’ business processes and more topical at the moment; ‘important business services’, depending on their choices in design and deployment. Additionally, cloud providers’ shared infrastructure means that an outage to one service can cause a far greater impact with a knock-on effect to other platforms, as seen recently with the Facebook outage where WhatsApp, Instagram and even third-party retail consumer sites using ‘Log in with Facebook’ authentication were down and inaccessible for 5 hours, preventing certain business activities being fulfilled. Furthermore, Facebook’s own internal systems such as security card access to their own offices and communication systems were also affected impacting the ability for Facebook to be resilient, which was critical to manage and resolve the outage.
Companies today need multiple copies of their data in different regions and must structure it intelligently, conduct instances in multiple zones and require automation to cut down the time it takes to fix an outage. Any preparation that firms undertake to mitigate the risk of service outages can also act as part of their exit plans, which is why it is important to address both challenges together.
Third Challenge: Contract negotiations
As part of an effective Third Party Risk Management Framework (TPRMF) and lifecycle, the focus on exit arrangements, service outages, and third party risk needs to be hard-wired into every step along that lifecycle. For example, contract requirements nowadays are shifting to reflect the changing risk landscape. Outsourcing arrangements have historically focused on contracting for tangible assets, but such arrangements have rapidly in the last few years moved to deal with intangible risks, such as how their data would be secured, managed, and extracted during the lifecycle whilst still being compliant with the rules to not outsource your risk, which can increasingly be challenging when the third party risk frontier has expanded further beyond the direct control of the primary and secondary contracting parties in an outsourcing relationship.
It can be a challenge to audit areas that are in the control of third parties, especially for the large cloud providers, who have amassed significant commercial bargaining power. However, this issue can be overcome in the contract stage, where regulated firms, the ‘buyers’, have the leverage to negotiate specific needs and hardwire testing requirements into the contract. After the contract has been signed, the leverage is severely reduced and cloud buyers may struggle to amend standing contracts.
Historically a lot of the focus of contract negotiations has been on the onboarding phase or the contract commercials, however, it is important that firms place an equal amount of weight into negotiating workable and executable exit provisions. These should be built into the legal and procurement processes, then handed over to BAU into the third-party management process. In the future, this will enable efficient safeguarding measures against issues such as outages as firms will be able to investigate and identify where there may be impactful shared service structures to the business and appropriately address these issues.