New banking… new thinking

They say money talks.  Well in the world of banking, that is often true.  But now, new entrant and challenger banks can breathe a sigh of relief.

Know your customer. It’s the oldest adage in the world but still the most valuable. But understanding the needs, wants, expectations and behaviours of today’s highly demanding and digital customers is tricky for all organisations – and most especially banks.

Banking has transformed (and then some!) in the last 10 years. In the past, banks designed services and customers took what was available. Inertia ruled – and customers largely stayed loyal. Now all that’s changed. New, exciting, personalised banking services are constantly emerging – and the bank that truly understands what different types of customers want and need now and in the future gets ahead and stays ahead. Standing still is not an option! The message is clear; if banks don’t provide the services, security, flexibility and innovation that its customers want and need – they will vote ‘with their feet’ and move to another bank that does. Simples!

But understanding complex customer behaviours, financial requirements and market developments requires highly sophisticated and often complex analysis. It’s a fact that there are some great analytics solutions on the market but until recently, these were incredibly expensive and beyond the reach of all but established banks or ‘well heeled’ new entrants. This put new banks at a disadvantage and hampered them from designing new, responsive, highly personalised solutions. But now that’s changed.

From today, advanced highly sophisticated analytic capabilities will be within the reach of ALL banks.

How? Sopra Steria, a European pioneer in digital transformation, has just announced that it has become a SAS Managed Analytics Services Provider (MASP). This will enable us to offer cutting edge, high-end analytic solutions at a cost effective price point for new entrant banks.

We will include ‘Gold level’ SAS cloud-based analytics solutions as part of our Modular Digital Banking (MDB) solution. This innovative end-to-end, fully functional digital banking solution delivers a ‘step change’ in banking service analytics capability, enabling new entrants to increase their agility and responsiveness.  Key features include:

  • A real time decision engine with integrated marketing automation and advanced analytics
  • Advanced visual analytics capability to create descriptive and predictive models
  • Enterprise grade development environment to ensure organisations can meet regulatory compliance requirements both now and in the future
  • Data modelling as well as data integration, quality and management capabilities

Interested?  Take a look at the Sopra Steria and SAS strategic partnership and find out more about affordable, advanced and innovative analytics that can help you make better decisions faster.

What are your thoughts? Leave a reply below, or contact me by email.

Single View of a Customer: are financial institutions still seeing double?

So is Single View of a Customer (SVoC) or Single Customer View (SCV) new?

Single view seems to have made its debut as part of the Deposit Guarantee Schemes Directive (DGSD) (December 2010) to ensure that compensation can be paid out quickly in the event of a Bank default. But Single View Of a Customer must surely have been in existence prior to 2010 or before the new entrant and challenger banks started to emerge…

Challenger banks and new entrants are fighting for those last remaining USPs that will galvanise customers into switching from their current provider at a faster rate than the 802,036 customers who switched during the first nine months of 2016 (source: BACS CASS dashboard 20 October 2016).

But these USPs need to be underpinned by systems, solutions and the latest FinTech, often from multiple providers, to deliver both a dream service to customers and the rewards the new entrants and their investors are looking for.

The shopping list of components grows and once the new entrant has a full basket and has gone through the checkout, they need to complete the task of plumbing all of these components together to create that seamless customer journey to (and beyond) customer satisfaction.

These shopping list items have often originated from multiple providers, from those on robust platforms with many years of implementation experience, through to the latest and greatest on the most leading (and sometimes bleeding) edge technology.

Will they talk to each other? Do they want to talk to each other and can we expect them to work together? “Who’s the Daddy…?” becomes the issue: which one single component will step up to the plate to orchestrate the other components, what to do and when to do it, all whilst delivering 24×7 availability?

It all boils down to how that Single View of a Customer is delivered: if each component operates in its own little world and creates a customer profile and footprint that is stored in that little world, then how is this information shared, analysed and used to provide an enhanced customer experience? In such a scenario, there seems little chance of creating the bigger picture and instead we continue with lots of small, single dimensional views of the customer.

Both the Customer Relationship Management system (CRM) and the Core Banking host have big parts to play in solving this dilemma, but that still leaves us with two primary candidates vying for the key role of providing the Single View of the Customer. The Core Banking host clearly has its role to play in storing financial information and in maintaining the lifecycle of the account. Likewise, the CRM looks after customer interaction – but it is also looking after prospects before they mature into customers, an area which may not be covered by the Core Banking host.

Let’s use the scenario of customer complaints to help us understand the answer. The complaint may be about an interaction that has taken place, what was said or perhaps what was not said to the customer. The catalyst for what turns into a complaint may have been an interaction which can be traced back through the CRM.  However, the counter-argument from the Core Banking host side might be that the complaint could be down to an issue with the lifecycle of the product, a payment problem, a fee charged or the amount of interest paid. This analysis from the FCA shows that complaints can arise from a number of areas within a bank:

pie chart: 60% Advising, selling, arranging; 26% general admin/customer service; 11% T&Cs; 1% Arrears related; 2% Other

(Source: Financial Conduct Authority – March 2016)

So who has the edge over the other components on the single view at this stage? It has to be the CRM, doesn’t it? After all, it manages the interactions and holds the non-financial view. However, we have to guide the CRM, as it is not a single ‘fix-all’ on its own: we need to consider the number of external service providers, how they are working together and whether they are using standard communication platforms and methods not only to output information but also to receive fresh inbound data. This leads to a parent-child relationship, where the CRM (and that’s a unified CRM platform) is the parent and all of the other service provider components need to abide by the standards and toe the line.

The CRM needs to be fed information that is accurate and consistent in real-time (or as near as it gets). It needs to be able to know when customer interactions take place, what was the nature of the enquiry and who is handling it. If further interactions arrive, who is available to manage these, as there is little point in routing to already busy agents or distributing multiple interactions for the same customer to different agents. A customer interaction routed to a customer advisor they have previously spoken to or one that has dealt with their case in the past should increase the level of customer satisfaction by at least a couple of points.

So, by first accepting that customer delight and attraction may require some complexity within the solution design, an SVoC solution should:

  • start from the CRM host and build out
  • maintain clear flows of data where the latest data set resides in the CRM
  • use common communication methods
  • rationalise the number of external service providers to maintain a single focused view

But the main message here is – don’t underestimate the potential complexity and critical importance of creating your information and single customer view strategy at the start of your journey, especially where there are multiple service providers involved.  Putting off your SVoC strategy until later can leave you with a siloed, inefficient and costly environment to manage………

What do you think? Leave a reply below or contact me by email.

Always-on, always prepared: the cyber security questions Financial Services organisations need to ask

Financial institutions continue to grapple with the ever increasing complexities of cyber security. As online services across all channels grow, so does the security risk. The underlying questions are – how do organisations modernise the legacy platforms that were not designed for the open, connected world of today’s demanding consumer base, and provide the services and interfaces in a secure manner?

The continual growth and competitiveness in digital services continues to disrupt the market. Whether they like it or not, financial firms and their customers will always be seen as targets and those that take this lightly, or avoid the gravitational pull of online services due to security concerns, will be left behind.

That being said, many organisations are trying to put the right protection in place. The key responses to any security incident are monitoring, reacting and remediating. We have seen from recent breaches that the way that a financial institution reacts and addresses its customers that have been affected can make all the difference. Admitting that a security breach has happened is never easy but your customers are more likely to stay loyal to your brand if you openly discuss the security breach, what information or even money was taken and the remedial activities that you are promptly taking.

Open Banking is getting closer – are you ready?

This August, the Competition and Markets Authority published the final report on its retail banking market investigation. By requiring banks to implement Open Banking by 2018, it has reinforced the UK’s transition to a transformed banking landscape based upon a foundation of Open Banking. While certainly a positive step, Open Banking raises more questions around security. Financial institutions need to look at the security around their APIs, covering both internal and external protection layers – what data is exposed through the APIs, and who may be calling the API? In moving to this new world, what competencies in the organisation exist to create and test these new services? The IT organisation that was designed around creation of services for a customer must now address service management and governance of an estate that exists in a digital always-on connected ecosystem of consumer and business relationships.

Data and information are new focal points for the industry, and this is being highlighted by the new General Data Protection Regulation (GDPR) which will be introduced in 2018. The days have gone where we have one, two or three front doors. We now have multiple connections in and out of networks with services being hosted in cloud, hybrid and SaaS services.

Do you know where your information assets sit – especially your most critical and vital assets?

General Data Protection Regulation – honesty and openness

Looking to 2017 and 2018, notification of breaches will look quite different for a large number of financial institutions. Unlike the directive in the Data Protection Act which was silent on the issue of data breach, GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects.

This notification to the authority must “at least”:

  1. Describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
  2. Provide the data protection officer’s contact information
  3. Describe the likely consequences of the personal data breach
  4. Describe how the controller proposes to address the breach, including any mitigation efforts.If not all information is available at once, it may be provided in phases.

The last sentence will undoubtedly give some pause for consideration and needs to be thought through. Whilst being open and honest with customers following a breach is essential, how much information is satisfactory to release, and under what circumstances should some information be held until the precise nature of method and impact is understood?

We find ourselves in an information conundrum. We know that open and honesty following a breach are important, but that full clarity on a situation is not always instantly available. Security breaches can take place and it can take time before a complete story is put together – but the longer it takes, the greater the concerns from customers that a security breach is not being effectively managed. It’s why it is essential to prepare in advance and have processes in place in the event of a breach. Testing of these plans and creating play books of certain scenarios is something a lot of organisations are doing.

Criminals work at Christmas

Financial organisations have had to adjust to the requirements of their customers who want services online 24/7. We have seen high street financial institutions opening at weekends, evenings and even Sundays. The world of internet banking allows customers to access financial systems all day, every day.

On the other side of the coin, cyber criminals don’t mind at working weekends, holidays or Christmas Day. An organisation’s incident plan needs to be able to react to whatever, whenever, and in a way that is adequate to develop one or a number of alternative approaches. The Security Operations Centre (SOC) needs to be sufficiently resourced with access to on-call technical expertise, and they in turn need to be able to have access to evidence and activities.

Most people feel confident that their SOC is 24/7 – but it goes further than this. Imagine that you have had a breach on Christmas Day. Can you pull together a legal representative, someone who can talk to the press, the CEO and other important members of staff within your organisation?

We all have business continuity plans and disaster recovery plans, but it’s time we started thinking about security incident response plans that are truly organisational wide.

If you’re interested in finding out more about our Cyber Security offerings you can visit our website, or email us at info.uk@soprasteria.com.

This blog was first published on Finextra.com, 11 November 2016

Digital at scale: how digital can transform business

If you spend time at pretty much any tech company, from startups to big corporates, you’re likely to hear the word ‘digital’ a bit too much.  Some people are doing it, some are making their journey towards being more digital and others are still struggling to define what exactly it is, and in many ways, it’s that final category that have the most honest answer to the question – What is digital?  And this is what experts from the technology and financial services industry discussed during a recent seminar at London Technology Week.

It’s easy to define digital as being about technologies – that digital is at its core the binary ‘0’s and ‘1’s, on and off and all the brilliant devices and interfaces that have spawned out of it.  While that’s not entirely wrong, it paints a picture that everything digital is very clean cut, with a definite right and wrong answer that follows any question – but the truth is very different.  The technologies are far from a constant, and everything from the technology chosen to the implementation will change not only for different demographics but from person to person, and will adapt to their current situation, desires, needs and moods.  Technology then, is transient, and to be truly digital you must be open to constant and relentless change, throwing away technology, processes and ways of working constantly, and ensuring that the new tool adopted is chosen intelligently, to be the best tool for the job, and the most commercially viable solution.

This however all sounds like the territory of startup businesses.  Businesses that are new to the scene, or with very flexible business models are often far more adept to change as they do not have the long-standing commitments to clients, legacy platforms and some of the regulatory requirements of their big corporate counterparts.  Some may suggest that these big corporates should simply throw away the legacy platforms, circumvent the regulation and transform their clients, and noble though that may be, it’s a fool’s errand.  For these businesses, what they really need is to find a way to take advantage of new technology, whatever that may be, and develop systems that allow them to adapt to change which work alongside and complement their legacy ‘technological debt’ and support their regulatory requirements rather than dispose of them. This is digital at scale.

Put simply, digital at scale explores how businesses can leverage digital, be it technology, ways of working or any other idea that comes under the umbrella of digital to transform their business, supporting existing technologies, commitments and regulation where appropriate, and disposing of them where necessary.

Sopra Steria’s MiFID 2 project with the FCA is an example of where digital at scale has been implemented. For all the businesses that are wary of how technologies like cloud and open source could work in a highly regulated environment, there’s no better example than that of the regulator itself adopting these technologies.  The MiFID 2 regulatory support service is built for the cloud, ingesting, processing and persisting files on AWS, with innovative open source platforms like Cassandra and Spark ensuring that all submissions are processed quickly and with an extremely high degree of accuracy, with an architecture that supports changes should a specific client or geography require, like private vs public cloud or separate technology components.  What is particularly profound about this solution though is how it backs into and supports the legacy environment, through a simple FTP gateway, ensuring that the wealth of historical data is utilized and, as is so important in an environment like this, remembered with a system that can speak both the languages of the old and the new into the future, maintaining a stream of communication regardless of changes made on either end.

The MiFID 2 platform is only one example of these principles put to work, and though the distant future might see us living in a fully digital world we must be conscious today that whether we transition fast or slowly, we must do so safely too, and with a strong commercial focus to build not simply small digital players, but truly successful enterprises with digital at scale.

Find out more about our FCA Market Data Processing project and Sopra Steria’s #intelligentdigital campaign.

Challenger banks have challenges of their own

If you think that the UK’s High Street banks have had it tough over the last few years, spare a thought for the new kids on the block…

Sure, the big 4 have had to deal not only with the credit crunch, product mis-selling, systems failures and outages, increased regulation, the CMA, the FCA and new regulations such as MiFid II and soon – very soon – PSD2, where all banks will have to allow access to their customer account information to third parties via open APIs. But they now also have to deal with nimble start-ups with appealing propositions who can cherry pick the most attractive and most profitable customers and offer them a well thought-out product set with excellent – and targeted – customer service. Or even just a single product, one that has been honed and finely tuned to satisfy a specific market demand, be it the highest-paying savings account or a transactional account with all the bells and whistles but without the so last century chequebook. And what’s even worse for the High Street banks is that they have to try and compete with these start-ups – or upstarts – using a creaking legacy infrastructure which isn’t fit for purpose in the digital age.

So it’s really an unfair fight, isn’t it? It’s as if the High Street banks are playing with a marked deck, or with one arm tied behind their back, while the Challengers hold all the high cards and can pick off the incumbents at will, much like Monty Python’s King Arthur fighting the Black Knight. Or is it….?

While the incumbents have had to contend with IT systems which were developed in the 1970s, around the time of the widespread deployment of ATMs and when internet banking wasn’t even a twinkle in the eye of Tim Berners-Lee, the Challengers DREAM of having an IT infrastructure to fall back on, or a data centre, or even a Call Centre. Mostly, they have an idea and a target market to go after but they lack the systems and services wherewithal to realise their ambitions. They often have to rely on a systems provider who gets them part of the way to their goal, but who lacks the Business Intelligence and Analytics component or the Business Processes support capability needed to create a comprehensive systems solution.

This means that Challengers have to partner with a number of other providers to realise their goal of an integrated, seamless IT and services offering to support their customer and product ambitions, mostly with a set of components which are not quite as integrated as they would like and where information exchange and a single customer view is far from seamless. In short, they tend to end up with a “legacy infrastructure of the future”, instead of a flexible, upgradeable solution that moves with the times and has built-in future-proofing – which is really how all such systems should be designed and implemented today.

So, the Challenger Banks might be nimble in terms of product development and responsive in terms of customer service but, in reality, their supporting IT solutions can sometimes be as much of a patchwork as an incumbent’s legacy infrastructure, although carefully concealed behind the veneer of a digital front end and a slick mobile app. Not so much a state-of-the-art solution, more of a dead parrot. That’s quite a challenge…

What are your views? Do you think the Challengers have it easy? Are they about to eat the incumbents’ lunch? Or are they faced with exactly the same infrastructure problems and integration issues as their bigger and older competitors? Please leave your comments below or contact me by email.

My blog was originally posted in Finextra on Wednesday 29 June to coincide with the press announcement of Sopra Steria as digital partner of choice for the new UK challenger bank “The Services Family”.

There’s no time like the present: how the FS industry can prepare for MiFID II

I faced a difficult decision last Bank Holiday Monday: file away a pile of personal documents I had been ignoring for many months, or spend the day out with friends. The filing looked like it would take a long time, and be complicated to untangle – but it would benefit me in the long-run. On the other hand, the opportunity to wind down and see old friends is precious. I’m sure many people faced similar decisions that weekend – the choice between doing the things they wanted to do, and the things they had to do.

MiFID II delay

How is this relevant to the Markets in Financial Instruments Directive, known as MiFID II? Many financial firms will be breathing a sigh of relief. On 28 April, European Union countries collectively supported a proposal for a one-year delay to the legislation. Whilst a delay has been on the cards for a while now, this is one step closer to formally delaying the legislation to 3 January 2018, rather than 2017, giving firms another year to postpone – or start making arrangements.

Under MiFID II, trading venues and investment firms operating in the EU will be required to submit a wide range of reference and transactional data on an even greater range of financial instruments to their regulatory bodies. All current and some new regulated firms and venues will need to forward information on trading that takes place within their company – equities, bonds and derivatives – and send transaction reports, commodity position reports, transparency reports, double volume cap reports and reference data, to their country’s regulator.

The full conditions that firms will have to comply with are yet to be finalised by ESMA. Many organisations may be tempted to wait until they have 100 per cent clarity on the requirements given the complexity of the Directive – and to leave that pile of filing to another day. The issue, however, is that there is still significant risk. If you are not compliant by the due date, you run the risk of fines, the inability to trade, and severe reputational damage. Given the delay to the implementation date, the Regulator is likely to be less tolerant of any non-compliance. There is a natural business tension between what you want to do, and what you have to do due to regulation.

Fail to plan, plan to fail

The answer is simple: fail to plan, plan to fail. My company, Sopra Steria, has provided solutions for financial services regulation for over 10 years – we’ve been involved with solutions for a wide range of regulatory compliance programmes (including IFRS9, BCBS239, Basel II and AIFMD), for both the UK regulator, the Financial Conduct Authority (FCA), and for regulated firms.

Our experience shows that preparation and partnering with the experts are essential. Both options are available right now, which is why the FCA has chosen us to deliver a new solution that will support them with MiFID II, and therefore ensure investment firms’ trading reporting activity remains compliant. The FCA will be receiving millions of transaction reports a day from January 2018. Our solution, the Regulatory Support Service (RSS), is capable of receiving and storing billions of transaction reports.  Its reporting warehouse facility will interrogate large amounts of data with the purpose of giving the FCA greater transparency, and therefore a larger breadth and scope of information on reported transactions, helping to ensure markets operate smoothly and reduce the risk of abuse.

Technology has come a long way over the past decade. The RSS platform has scalability and the ability to operate completely independently from existing architectures, hosted on Amazon Web Services Cloud.  From the outset we designed a shared platform model that will enable other organisations to be part of a system that sits right at the heart of MiFID II developments, as we continue to work closely with the FCA. The opportunities for reducing the cost of regulation are substantial: the high-speed data ingestion and processing capability can be adapted and scaled for other European regulators, and for regulated firms.

We see MiFID II as an opportunity for the FS industry – it is a catalyst for modernisation, rather than simply creating the next generation of legacy technology.

Time to take action

January 2018 may seem a while away, but in reality firms need to be compliant and ready by this date, leaving little time to prepare – and there is no time like the present when it comes to planning. It doesn’t need to be difficult, or put in the corner and ignored for months to come. The technology and services to help you prepare are available now, so it’s time to make a start to becoming compliant.

What are your views on this? Leave a reply below, or contact me by email.

How to avert a storm in your cloud

The closer IT expenditure is to the front line of genuine business need, the better the return on investment should be.  So the positives arising from the growth in shadow IT – spend on digital applications and services by business teams rather than the IT function – are huge.   Estimates suggest that shadow IT expenditure now accounts for over 30% of total spend and 55% of digital spend.  And a key driver of this growth is the increasing prevalence of cloud solutions which can be deployed by a business team with minimal support from IT.

But the full scale of benefits will only be realised if risks created by business owners’ unfamiliarity with technology solution governance and inefficiencies generated by distributed decision-making are identified and managed.  The traditional IT-led approach to solution governance, based on large ERP or CRM implementations, will not work for Shadow IT solutions – it is over-engineered for the rapid evolution demanded by business teams.  A new model is required – one that is business-led and balances the need of business functions for speed and flexibility with the assurance that IT teams can provide.

So what risks does business ownership of IT solutions create?  Operational risk increases in direct proportion to any gap between the knowledge managers need for effective supervision and the knowledge they actually have.  The increasing digital divide between senior managers and their younger, junior tech-savvy colleagues is one such example.  And as cloud offerings enable solutions to be deployed by functional teams without IT oversight, the need for digital understanding among senior managers is increasing.  Research by the Harvard Business Review Analytics Services concluded “Digital acumen is essential for business leaders in today’s hyper-competitive, technology enabled world. But most companies lack the knowledge and skills needed to succeed in the digital aspects of their business.”

With high risk activities – such as proprietary trading in investment banks – these knowledge gaps can be catastrophic.  But most cloud solution deployments will not come into this category.  A more relevant analogy can be found in the recent history of data and reporting solutions.  These are often owned and deployed by business functions – marketing, finance, risk, compliance, operations and HR – in which case multiple reporting solutions are typically being licensed when one would do, generating inefficiency and excess maintenance costs.

Alternatively the deployment may be centrally owned (by IT) with space in the enterprise data warehouse made available to different functions to do with as they would wish.  This typically results in multiple ungoverned cottage industries with no documentation of which marts are being used for what purpose and what would happen if they were removed (and probably multiple versions of the truth as well).

This is the type of trap that business-owned, cloud based applications will fall into if there is a lack of management understanding of how such solutions should be governed.  Governance has always created tension between business functions and IT teams, with the former seeing the controls IT teams introduce as being over-engineered and a brake on rapid progression.  In the absence of IT involvement, the risk – as we have seen with reporting and analytics solutions – is that such disciplines are ignored.

Obviously a balance is required.  With digital implementations, there need to be good enough levels of governance.  Our experience with delivering data management and reporting solutions over the past fifteen years has given us relevant insights into what this looks like.  As one client put it, ‘you provide enough governance to keep IT happy and not so much as to delay delivery’.

So with that in mind, herewith our primer for business leaders on good enough governance.

  1. Ownership

Every cloud solution should have an owner who maintains a business case for the solution’s continued use as part of their accountability to whoever the budget holder is.  Unlike traditional implementations where most of the investment is sunk up front, the rental model for cloud solutions requires a living business case with quantifiable improvements in KPIs the solution is delivering tracked against ongoing and forecast costs (including potential spikes).  Such an approach facilitates the solution being swapped out should a new one that will generate greater value become available.

  1. Monitoring

The business case requires the determination or inference of linkages between the operational metrics that the solution can impact and the strategic goals and financial objectives of the organisation.  These metrics and the hypothesised linkages need to be tracked so both the operational efficacy of the solution and its strategic relevance can be tracked.  Hence the second component is the creation of a dashboard to support the living business case.  The dashboard also needs to track compliance related metrics and cover change request progress.

  1. Responsibilities

Effective governance requires a sequence in solution deployment of requirement documentation, solution design, delivery, test, release and support, with the same process applying for subsequent changes requests.  In the traditional model, these activities are performed by different teams.  Cloud solutions typically follow a DevOps model whereby these activities are carried out in rapid sequence by a single business team.  Either way, all stages need to be completed so both processes for how changes will be managed and who will be responsible need to be defined.

  1. Oversight

The governance committee needs to have both business and IT representation – IT teams’ experience of solution design and demand management being particularly important to success.  The governance committee needs to meet on a regularly scheduled basis – monthly or quarterly – and focus on organisational (e.g. responsibilities), security and the commercial model (to avoid the risk of unbudgeted spikes in costs).

  1. Documentation

There are two facets to the knowledge that needs to be captured in documentation – explicit and tacit.  The former includes the business requirements the solution is meeting, process maps for the processes that the solution enables, and the underlying policies and procedures.  It should provide all the information required for someone new to operate the solution from scratch under normal conditions.  Tacit knowledge covers what to do in abnormal conditions, when problems arise and the process isn’t running smoothly – e.g. who to contact if an important feed is not available, fixes for when the solution doesn’t run as it should, answers to common questions about the outputs generated.  Tacit knowledge is typically captured as FAQs and answers.  The basic principle should be that a solution SME can’t progress to a new role unless all the necessary knowledge that their replacement will need has been codified and documented.

  1. Integration

Cloud solutions don’t stand in isolation.  Typically they require data inputs of some form and generate data outputs.  Where does this data come from, how is static data in the solution maintained, what happens with the outputs?   All integration points need to be included in the documentation.

  1. Compliance

Cloud solutions need to comply with the organisation’s security policies for access control and data protection.  Equally the organisation’s security policies need to evolve to reflect the new cloud-based world – relying on firewalls to lock data in a chamber with one door in and one door out is no longer feasible.  Cloud enables and encourages collaborative working practices and the inter-connectivity of system to system processes – data is moving all over the place  – and security policies need to evolve to reflect this new reality while still effectively mitigating risk.  And the more integrated a cloud solution is, the greater the risk that it opens a gate to other parts of the IT estate, hence controlling access or levels of access is critical.  Any data that resides in the solution also needs to be secured (e.g. via encryption or tokenisation) and where that data is hosted needs to comply with data protection legislation and organisational policy.

The rise of cloud requires IT teams to operate differently to how they have historically.  Control is no longer an option, collaboration will become the norm.  In turn, business owners of cloud solutions need to make the IT function their friend.  That will require compromises on both sides – less governance than IT are used to applying, more than business solution owners would like.  We believe that addressing the seven factors above will provide the ‘good-enough’ governance required to mitigate operational risk without inhibiting agility and slowing progress to a halt.

 

With thanks to my colleagues Manoj Bhatt, Mark Howard, Andrea Pesoli and Venkatesh Ramawamy for their contributions to this piece.