If you’re in financial services, regulation changes related to data risk could shape your choice of cloud providers. According to the UK Operational Resilience Framework,1 which goes into effect on March 31, 2022, UK financial services organizations need to have exit plans for when “severe but plausible events” take place, to ensure that they can continue operating their businesses. In other words, these organizations will be required to be operationally resilient when such events occur. Data governance is key to accomplishing this.
To achieve operational resilience, UK financial services organizations need to first map out their Important Business Services (IBSes) and, for each, set, their impact tolerances. This will ensure that when these tolerances are met, the organizations have exit plans in place to switch over to another service, to continue operating their IBSes.
The UK Operational Resilience Framework also stipulates that UK financial services organizations factor in concentration risk within their supply chains. This means for “material outsourcing” arrangements, such as using a single cloud service provider, UK financial services organizations need to be aware when such concentration risks occur. These concentration risks can occur in material outsourcing arrangements to a single provider that is processing data related to the organization’s IBSses.
For example, if their third-party data processor is using Cloud Vendor 1, and their fourth data processor is also using Cloud Vendor 1, then a case of cloud concentration risk starts to develop. This risk needs to be carefully managed as part of each organization’s third-party risk management process.
Under this new regulation, UK Financial Services organizations need to carefully assess their operational resilience risks, which can occur by solely relying on a cloud vendor’s own native data governance tooling that comes with the service. Doing so may lead to vendor lock-in. In such a scenario, the financial services organization runs the risk of being unable to prove to a regulator that they have exit plans in place for their (IBSes), if severe but plausible events occur as a result of cloud concentration risk and service failure.
By using a multi-cloud and hybrid cloud approach, organizations can help prove to the regulators that they have a sound operational resilience framework. In addition, using a cloud-native, intelligent data management platform that can manage all data across all cloud ecosystems (including Microsoft Azure, Amazon Web Services and Google Cloud), can help organizations implement operational resilience controls for their data risks.
At Informatica, we are in the process of helping our new and existing customers adopt a multi-cloud and hybrid cloud approach to help strengthen their operational resilience posture. In support of that, we have just introduced a new UK point of delivery (POD) for our Intelligent Data Management Cloud (IDMC), adding to the IDMC PODs already available in many other regions of the world.
If you are a financial services organization that is keen to implement a robust operational resilience framework, please contact us (email@example.com).