Other parts of this series:
A step-by-step framework for assessing and mitigating operational risks can be a critical element in effectively migrating to cloud-based solutions and meeting regulatory requirements at the same time.
Migrating to cloud-based solutions can be a daunting task for financial services institutions, considering the complex financial services regulatory environment. In my first post of this two-post blog series, I introduced the Accenture Cloud Risk & Regulatory Compliance Framework for financial services institutions that are migrating to cloud-based solutions. In this post, I’ll explain how the process works.
Assess operational risk across eight dimensions
The Accenture Cloud Risk & Regulatory Compliance Framework assesses a financial institution’s operational risk along eight key dimensions, with each evaluated risk mapped to specific regulatory regimes and frameworks that include:
- Regulations and guidelines such as the Monetary Authority of Singapore’s Technology Risk Management Guidelines, the General Data Protection Regulation (GDPR), and the Cloud Security Alliance Cloud Control Matrix
- Regulatory agencies and associations such as the European Union Agency for Network and Information Security (ENISA,) the Financial Conduct Authority (FCA) and the Bank of Thailand (BOT)
- Frameworks such as the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST)
The first step in assessing and mitigating risks is reviewing the evidence provided by the cloud-based programs. Through this review, gaps are identified and eight operational risk dimensions are probed.
Within the Accenture Cloud Risk & Regulatory Compliance Framework, the Cloud Operational Risk Assessment Tool helps conduct the operational risk assessments. The tool calculates the risk exposure based on the following three factors:
- Risk Rating: Firms have their own risk rating/impact parameters, typically set from low to high. The risks are reviewed, with stakeholders’ agreement on the risk rating to be used.
- Control Implementation Maturity Level: The maturity level of controls is analyzed by reviewing the institution’s policies, and the cloud service provider controls evidence and planning evidence for the proposed solution―rating them from low to high.
- Exposure Score: Based on the risk rating and implementation level, an exposure score is calculated. It increases if the associated risk rating is high and control implementation maturity is low.
It typically takes 12 weeks to conduct the assessment, run the tool and develop a set of recommendations, but that can vary based on the assessment’s scope.
Quickly identify risk gaps and develop corrective actions
By using a structured and comprehensive approach, the Accenture Cloud Risk & Regulatory Compliance Framework helps quickly identify risk gaps and develops a set of corrective actions that conform to regulators’ expectations. The approach is flexible, and the assessment and delivery of core components can be accomplished at any point during the migration journey―although our recommendation is to incorporate it during the discovery and strategy phases.
With the right tools and clear, concise information, banks and other financial services firms can plan more effectively and better mitigate risk as they transition to cloud-based solutions.
Get more detailed information about Accenture’s Cloud Risk & Regulatory Compliance Framework.