How OpRes Identifies and Mitigates Cloud Concentration Risk

Drafted by Ben Saunders

Roughly a 4-minute read

As any experienced investor knows, diversifying across multiple investments and asset classes is one of the primary tools for reducing risk. If one of your investments unexpectedly crashes in value, the other investments are untouched and the overall impact on your portfolio is lessened. 

The same can be said for enterprise technology bets. Focussing on one single partner or vendor could pay off, or it could burn you, if that partner falls behind in their market, goes bankrupt, or increases their prices aggressively. Again, diversifying with your technology vendors is often prudent risk reduction, albeit with some caveats.  

In financial services, both of these are referred to as “concentration risk”, and it is something that leadership looks to minimise. Avoiding concentration risk helps banks to avoid compounded incidents, financial loss, and reputational damage which could ultimately result in regulatory penalties as a result of things going wrong that are outside of their direct control.  

Reducing concentration risk from a technology perspective isn’t however always straightforward.  

Many financial services organisations are very large and complex, so even understanding which technology is in place can be a large cataloging task. After a discovery exercise, you’ll often find that the technology is already too tightly embedded or too expensive to migrate away from, or maybe there isn’t a viable alternative to it in the market. Diversifying across too many providers simply to avoid concentration risk is also not always a practical answer for reasons including demand for skills, resource requirements, commercial implications and licensing agreements.

Concentration risk is therefore a fact of life which companies need to be aware of, manage appropriately, and mitigate when too much is assumed.  

This said, Cloud Service Providers (CSPs) such as AWS, Google and Microsoft are nowadays under particular focus as a source of concentration risk for financial services institutions. We think this is for good reason:

Firstly, Infrastructure as a Service (IaaS) such as servers and databases commonly procured from CSPs are obviously fundamental to system operations. If this infrastructure fails catastrophically, it is highly likely that the application that it hosts will be seriously impacted. 

To make this worse, an outage at a CSP could impact multiple systems within the organisation. These systems could be integrated in various ways, leading to a cascading failure and a very slow and complex recovery that impacts customers in multiple business service lines.  

This is also a systemic concern to regulators who are looking from the perspective of overall financial services resilience.  If one particular CSP experiences a total outage, the impact could spread across multiple banks and potentially impact the entire UK or even worldwide financial system.  This is not as far-fetched as it sounds with so much technology being run on top of so few suppliers, as good as they are.  

Indeed, concentration risk is not a new concept. For many years, the retail banking sector has largely been powered by a core set of mainframe suppliers. Providing the same hardware, software, professional services, and support offerings to their customers across the world. That said it is important to highlight what industry regulators are saying about concentration risk in their most recent guidance papers. 

The Operational Resilience agenda is driven partly in response to concentration risk on public cloud providers. A consultation paper published by the Bank of England in December 2019 cited that “Cloud outsourcing has become a particular area of focus as the Cloud provides the underlying infrastructure supporting many technology solutions used by firms”. Indeed, the EBA noted in their guidelines for outsourcing arrangements that “The need to monitor and manage concentration risk is particularly relevant for certain forms of IT outsourcing, including cloud outsourcing, which is dominated by a small number of highly dominant service providers.

A key feature of OpRes is focussed on surfacing cloud concentration risk and mapping this against individual business services.  If an individual organisation, business service, or user journey is overly concentrated on one particular cloud or SaaS provider, we will be able to surface this information transparently for decision-makers who can choose to consciously accept or mitigate this risk.  We also aim to delve deeper, looking at how well architected the applications are in line with each CSP’s respective frameworks and best practices. Whilst our platform will also plug into the service status pages of each CSP so that we can get real-time alerts when specific services, regions, or availability zones are facing service disruption. 

As more core systems move to the cloud, and as operational resilience grows in importance, we believe OpRes can become a critical tool in improving a firm's resilience posture.  If your business is looking at adopting cloud technology without impacting your Operational Resilience, then please get in touch for an informal discussion via email: hq@opres.ukTwitter or LinkedIn.

Thanks for reading as ever, 

Ben W

Previous
Previous

8 Reasons Why You Need OpRes in Your Resilience Program

Next
Next

Building Operational Resilience: PS21/3 - FCA Policy Analysis