Reducing your risk in the cloud

Reducing Risk in the Cloud

In late 2014 and early 2015, the Australian Prudential Regulatory Authority (APRA) observed that many of the regulated entities that previously outsourced parts of their ICT capability were increasingly adopting a cloud strategy.

The organisation released an information paper, Outsourcing Involving Shared Computing Services (including Cloud), intended as guidance for the banking and financial sectors. In response, I published an article Managing the Risks of Operating in the Cloud, analysing the key points of the paper and making recommendations for its practical application for the financial industry.

The financial regulator offers sound, actionable advice for any organisation considering cloud services – or reviewing its existing cloud arrangements – in terms of understanding and managing the risk and compliance aspects associated with outsourcing ICT capabilities. However, the regulator also encountered many security and privacy risks and control weaknesses when looking at how these entities went about their cloud journey.

APRA rightfully saw that it needed to set some guidelines for Authorised Deposit-Taking Institutes (ADIs) to turn to.

In April 2015 the Australian Privacy Act was amended in accordance with global standards for the handling of personal information, and the Privacy Commissioner launched new Australian Privacy Principles determining how Australian organisations must store, host and provide access to personal data. The paper I linked to above addressed a number of these principles, including data sovereignty and the concept that personally identifiable customer information must remain on-shore in Australia.

In the past year, the location of data storage has been a major focus and a number of global cloud providers now provide services enabling all data to be stored within Australian data centres. As a result, Australian government and commercial enterprises are able to be compliant with data sovereignty requirements, even when hosting data with global cloud providers.

Capability drives compliance

When analysing APRA’s guidance letter, what stands out to me is that its recommendations can all be met by applying sound management capabilities. Regulated entities, and indeed most organisations, have these in place already to be compliant with their relevant regulating bodies.

Therefore, rather than having to do more compliance work when wanting to adopt cloud solutions, it’s about utilising what is in place already and adapting those capabilities to deal specifically with the risks and unknowns associated with cloud. These include the management domains of risk, vendor management, business continuity, transformation, corporate governance, strategy and assurance.

And whether your organisation operates within the financial services sector or not, it should have these capabilities in place. Granted, the risk impact, the specific vendors and their services and your business strategy will differ across industries. However, the same principles of identify-assess-manage-review will still apply.

As such, most organisations will be able to meet the guidance provided by APRA in relation to managing the risks associated with outsourcing ICT capabilities, with relatively minor additional compliance related work.

The bottom line

APRA’s information paper provides practical and reasonable guidance on how best to manage the transition and use of cloud.

It builds on the principle of having adequate management disciplines to support an organisation’s overall risk and assurance capabilities. And these management disciplines apply across the board, not just to banks, insurers and other financial entities. It’s a good guide for other industries to adopt, whether they are ADIs or not.
Ultimately, it comes down to the standard of risk that your organisation is willing, and able, to accept.

Whatever your industry, you must determine your specific risk factors – then build appropriate policies and underlying rules when considering which services and data you push to the cloud, and who with.

Catherine de Ruyter de WildtCatherine de Ruyter de Wildt leads DXC’s Governance, Risk & Compliance consulting practice in Australia and New Zealand, working with business leaders to develop and implement risk and compliance management frameworks and support the execution of strategic programs. Catherine has both a consulting and banking background, having worked for one of the global Big Four consulting organisations, as well as for one of Australia’s big four banks.



  1. […] Reducing your risk in the cloud […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.