Cloud exit planning guidelines for financial services institutions
The financial services industry has evolved into a highly dynamic, technology-driven business with many institutions looking at the public cloud as an answer for delivering new solutions. Adoption and use of the public cloud has accelerated in 2020 as a result of the global pandemic which in some cases created highly urgent needs for innovation and digital solutions in financial services.
Financial services regulators are also adapting and updating regulations and industry guidance at an increasing pace as the industry keeps transforming. This modernization of regulation is driving the industry further towards using public cloud technologies because of their superior overall capabilities when it comes to addressing challenges around security, compliance, privacy, operational resiliency, and data portability.
Regulators are also addressing the emergence of perceived systemic and institution-level concentration risk because public cloud technologies are being provided by a relatively small set of hyperscale public cloud providers. To counter various risks, including perceived concentration risks, regulators are guiding financial institutions to developing comprehensive and detailed exit plans in particular when deploying critical or important workloads to the public cloud.
Microsoft’s overall position on concentration risk has recently been published in a blog, 4 measures to counteract risk in financial services, and related whitepaper, Concentration risk: Perspectives from Microsoft.
Microsoft’s exit planning guidance is aligned with industry best practices and came into existence after lengthy conversations, over the years, with global financial regulators, stakeholders within financial services institutions, and industry representatives such as the European Banking Federation (EBF).
Exit plans are an effective risk mitigation mechanism for extreme Cloud Service Provider’s (CSP) failures—not only technical failures but also strategic or commercial reasons—or other situations where the organization is unable or unwilling to continue using their existing CSP. The plan will help to prepare for business continuity by identifying, and in some cases also testing exit scenarios. Microsoft has been in-step in ensuring our financial services customers can meet such necessary requirements and has provided the tools and resources for our customers to develop business continuity and exit plans accordingly.
Developing an exit plan and migration strategies are not easy tasks and they are optimally developed early on at the time of deployment. It is not uncommon that financial institutions deploy multiple business solutions using a single CSP such as Microsoft. In other cases, some customers deploy hybrid or multi-cloud solutions to better address the aforementioned risks. For those that are interested in such solutions, Microsoft recently published a blogpost on hybrid and multicloud strategies for financial services organizations.
Regardless of the choice of deployment model, exit plans that provide a 100 percent complete and fully tested failsafe are extremely hard (and expensive) to accomplish, making a pragmatic, risk-based approach that focuses on the most important business functions more appropriate. Fortunately, regulations allow this.
This need for exit planning is now present in several financial regulations. The 2019 final guidelines on outsourcing arrangements of the European Banking Authority (EBA) initially raised the bar by introducing some very specific requirements for financial institutions that among others explicitly address the need for developing a documented exit strategy when outsourcing ‘critical or important functions’ to a CSP that is in line with outsourcing policies and business continuity measures. Similar guidance can be found in the consultation paper on outsourcing and third-party risk management issued by the Bank of England and the consultation paper on draft guidelines on outsourcing to cloud service providers by the European Securities and Markets Authority (ESMA). All recommend a risk-based approach.
Starting in 2018, we published exit planning guidance using a seven-step exit planning lifecycle around a real-life example of a financial institution migrating to Microsoft 365. In 2019, we updated our guidance to include exit planning for Microsoft Azure, and today, we are proud to also include Microsoft Dynamics 365 in this latest 2020 update.
In the Exit planning for Microsoft Cloud Services white paper, we are also addressing three myths as well as three truths around exit planning as there still are several misconceptions around what an exit plan will and will not provide. We hope to accelerate the debate around the topic by sharing our insights on these and encourage everyone to read all about them in more detail in the white paper.
Additional Microsoft resources
To learn more, download our whitepaper, Exit planning for Microsoft Cloud Services, and read our blog about hybrid and multi-cloud strategies for financial services organizations. To access additional resources and learn how banks are transforming digitally using technologies from Microsoft and our solutions from our partners, visit our banking, capital markets, and insurance home pages.