APRA-regulated entities increasingly use OCCS (outsourced cloud computing services) to reduce margins and optimise the customer experience. Indeed, OCCS is now considered standard in many industries. To help APRA-regulated entities using OCCS, APRA has recently published an updated information paper titled ‘Outsourcing involving Cloud Computing Services’ outlining their requirements.
APRA’s prudential standards relevant to regulated entities include CPS Outsourcing [CPS 231], SPS 231 Outsourcing [SPS 231], and HPS 231 Outsourcing [HPS 231]. While the information paper and prudential standards are specific to APRA-regulated entities, they set out a useful risk management matrix for all companies using OCCS. In this article, we summarise these requirements to give APRA-regulated entities an overview of APRA’s approach to risk management and prudential guidance principles.
APRA categorises risk of cloud computing services into low, heightened and extreme
The requirements depend on the risk arising from the nature of OCCS usage. These risks are classified into three categories: low, heightened and extreme.
A low risk usage of OCCS is ‘Arrangements which could, if disrupted (where disruption includes a compromise of confidentiality, integrity or availability of systems and/or data) present a low or negligible impact to business operations and the ability of the regulated entity to meet its obligations.’
A heightened risk usage is ‘Arrangements involving critical and/or sensitive IT assets that result in either an increased likelihood of a disruption or where a disruption would result in a significant impact to business operations and the ability of an APRA-regulated entity to meet its obligations.’
An extreme risk usage in the opinion of the APRA is ‘…arrangements which could, if disrupted, result in an extreme impact. Extreme impacts can be financial and reputational, potentially threatening the ongoing ability of the APRA-regulated entity to meet its obligations.’
OCCS as part of the business operating model brings benefits but also brings associated risks.
APRA’s risk management requirements
To manage the risks that arise from the use of OCCS, APRA requires considerations at each
relevant stage.
Strategy
APRA expects companies to apply an appropriate amount of rigour to the planning of the target IT environment, and the transition from the current state to the desired architecture and
operating model.
This process would usually be accompanied by business and technology strategies, and an
operating model.
Governance
Companies should create an ‘outsourcing governance framework’ which should outline decision-making and oversight responsibilities with respect to outsourcing, including the use of cloud computing services. In this framework the role of the board, senior management and any delegations resting with a specific governance body or individual should be outlined.
The responsible persons must be informed of all material initiatives involving OCCS arrangements. Appropriately detailed information must be provided at significant stages.
For initiatives with heightened inherent risk, engagement with APRA should usually occur after completion of the internal governance processes, and the initiative has been fully risk-assessed and approved by the responsible persons.
For OCCS initiatives with extreme inherent risk, it would be appropriate to engage with APRA once a concrete proposal has been identified, and initial approval to proceed has been given by the responsible persons.
Solution selection process
The selection of the OCCS solution should be conducted in a systematic and considered manner.
The entity must ensure that the selected solution minimises risk wherever possible, and complies with the processes established by the company for changing the IT environment, including security, risk management, IT architecture, procurement and supplier management.
To minimise the risk inherent in OCCS, APRA suggests a preference for Australian-hosted options (if available) and a preference for providers offering a high degree of flexibility in how the solution is implemented.
APRA access and ability to act
Pursuant to the APRA outsourcing standards, companies are required to include an APRA-access clause in their outsourcing agreements.
This permits APRA to obtain access to documentation and information, and APRA to conduct onsite visits of the service provider. APRA has observed impediments upon its ability to gain access to these and this is to be discouraged.
Risk assessments and security
APRA requires a company to undertake initial and periodic security and risk assessments of all material service provision arrangements. These assessments should typically be conducted whenever a material change to existing arrangements occur.
Comprehensive risk assessments should usually include consideration of factors such as:
- the nature of the service (including specific underlying arrangements)
- the provider and the location of the service
- the criticality and sensitivity of the IT assets involved
- the transition process, and
- the target operating model
Additionally, the risk assessments should be commensurate with:
- the risks involved
- the sensitivity and criticality of the IT assets involved
- the level of trust that will be placed on the cloud computing service environment, and
- the shared responsibilities between the service provider and company
Companies’ risk assessments should also include management of data quality, information security and the ongoing monitoring of control effectiveness.
Implementation of controls
Companies should delineate accountability and controls between the provider and the company as part of their risk management.
Ongoing oversight
To enable effective risk management, companies should implement mechanisms to regularly receive sufficient information and reports from their provider about matters such as changes or incidents.
This should include formal notification arrangements, which enable the company to respond in a timely fashion to issues and emerging risks.
Business disruption
If business disruptions occur, companies are nevertheless required to meet their obligations. To reduce the impact of disruptions, companies must also maintain recovery capability.
Consultation and notification requirements for APRA-regulated entities
Consultation
Prior to entering into a material outsourcing agreement involving offshoring, companies are required under the outsourcing standards to consult with APRA.
Additionally, APRA encourages companies to consult before entering into any agreement if the proposed use of OCCS involves heightened or extreme inherent risks.
This should help to ensure that the company is capable of managing the risk.
Notification
Under the outsourcing prudential standards, companies are required to notify APRA after entering into a material outsourcing agreement so that APRA remains apprised of changes to the regulated risk profile.
Such an agreement is defined as one which ‘has the potential, if disrupted, to have a significant impact on the regulated institution’s business operations or its ability to manage risks effectively’.
All companies should understand and manage risks associated with outsourcing cloud computing services
OCCS as part of the business operating model brings benefits but also brings associated risks. Managing these risks requires proper consideration, especially if these risks must be considered as heightened or extreme risks.
All companies can use APRA’s information paper to help with their OCCS risk management. APRA invites feedback on the information paper from APRA-regulated entities.