6 steps to improve operational resilience in financial services with the Microsoft Cloud
As technology drives unprecedented transformation in financial services, operational resilience has become an increasing area of focus for financial institutions, regulators, and technology providers alike. Institutions are using third-party service providers to handle a broad range of services, including critical operations. This delivers tremendous benefits in innovation, flexibility, and efficiency, to name just a few. However, unless the use of such services can be properly managed, potential risks to institutions—as well as systemic risks to the ecosystem—can become areas of concern.
This is why in just the past few months, the industry is seeing a wave of new proposals and regulations in the financial services sector, which collectively aim to improve operational resilience and mitigate risk so that institutions can modernize with confidence. In June 2023, the Financial Stability Board (FSB)—an international organization that monitors and makes recommendations about the global financial system—issued a consultative document titled Enhancing Third-Party Risk Management and Oversight that provides a toolkit to reduce fragmentation, mitigate compliance costs, and facilitate coordination among stakeholders. Other developments include new legislation concerning designation and oversight of critical third-party providers in Europe;1 a proposal for regulatory oversight of critical third-party providers in the United Kingdom;2 and new guidance for third-party providers in the United States3 and Canada.4
Microsoft is dedicated to working across the industry, including with institutions, technology partners, and regulators, to ensure the responsible adoption of cloud services, AI, and other emerging technologies. We also offer a broad set of supporting resources for customers, including the Compliance Program for Microsoft Cloud, a premium “white glove” service created specifically to support risk and compliance professionals.
Enhancing operational resilience across the financial services ecosystem
Recent regulatory developments cut across continents and jurisdictions, and they have broad implications for how financial firms purchase, implement, and manage a broad range of services and technologies. Taken together, these proposals center around these five pillars:
- Implement strong risk management controls and practices.
- Ensure sufficient transparency and monitoring of cloud services.
- Manage concentration risk.
- Develop and test business continuity plans.
- Implement exit strategies and plans.
The FSB’s toolkit is designed to “reduce fragmentation in regulatory and supervisory approaches across jurisdictions” and “promote interoperability of regulatory and supervisory approaches.” We think this is not only sensible but should be a primary consideration for regulators in the implementation of their regulatory regimes concerning third-party risk going forward.
A six-step model for financial services resilience
As cloud services become more prominent, the importance of maintaining and enhancing operational resilience is paramount to ensuring the safety and soundness of the financial ecosystem.
Below is the six-step process we advise firms to follow to address regulatory requirements in managing third-party risk and operational resilience.
1. Update cloud risk governance
Firms need to focus on “critical services” and take “a holistic, risk-based approach to third-party risk management.”5 The European Union’s Digital Operational Resilience Act (DORA) consultative process also follows this approach in its draft Regulatory Technical Standard on ICT risk management.
To help firms in this regard, Microsoft provides a variety of service features to provide continuous oversight and monitoring of cloud services used—including Microsoft Azure Service Health, which provides a global view of the health of all Azure services across regions; Microsoft Defender for Cloud, which delivers a Secure Score that evaluates a firm’s security posture and configurations; and Microsoft Purview Compliance Manager, which assesses and manages compliance across multi-cloud environments.
2. Identify concentration
Firms should identify where critical services are being delivered by a single service provider in ways that might create such a high level of dependency that problems such as unavailability, failures, or other shortfalls could threaten the firm’s ability to deliver its own important functions. This should be done before contractual arrangements are entered into, and assessments should include whether a provider’s service can be substituted, and what the benefits and costs of alternative solutions might be.6
3. Assess alternatives
It may not always be appropriate or feasible to bring a critical service back in-house or set up a multi-vendor approach. Alternatives should be weighed against potential drawbacks, unintended consequences, and risks.7 Note that in scenarios that depend on Microsoft as the third-party provider, the concentration of services can be addressed by using Azure regions and availability zones. Firms should document which alternatives are viable and fit within their organization’s risk tolerance.
4. Design for resilience
When outlining alternatives, it is important to recognize that it’s not always feasible or desirable to incorporate a broad range of potential solutions. A single cloud approach, when considering all factors, may end up offering a more resilient overall solution. Further, it may avoid the pitfalls of inherent and additional complexity when implementing multi-cloud environments.
5 and 6. Test business continuity plan and prepare exit plans
Some of the more extreme threat scenarios should be fully considered, including such challenges as the loss of a datacenter or the termination of an entire provider relationship. This is best achieved by focusing on business continuity management (BCM), testing, and exit planning.
Fostering interoperability with principles-based, tech-neutral regulation
As the marketplace itself is interconnected and global in scope, one of the challenges for firms and technology providers alike is how to address myriad regulatory requirements across jurisdictions. Applying a principles-based approach will enable regulators and the industry to adapt to innovative technologies in the future. Indeed, the FSB notes that “interoperability of regulatory and supervisory approaches in the financial services sector is particularly important for financial institutions subject to multiple national or regional regulatory and supervisory frameworks.”8
In a globally connected world, these overarching approaches not only can drive synergies but also enhance regulatory supervision and address risk coherently and effectively. We endorse the FSB’s recommendation that “financial sector-wide and multi-sectoral exercises can be a valuable way to explore and improve the financial services ecosystem’s collective ability to respond and recover from disruption.”9 This can accelerate the convergence of strong global standards that will improve overall resilience while minimizing the need for overlapping regional regulations.
The future of regulatory supervision
Given the standardized nature of the cloud, we believe regulatory cooperation will benefit financial institutions, regulators, and cloud providers alike. We look forward to supporting this dialogue to facilitate common approaches and alignment on the regulatory side, and we welcome further ideas on how to achieve the goal of managing risk and supporting responsible innovation for the industry.
For more on how Microsoft is contributing to efforts to improve resilience, read our whitepaper, “Strengthening operational resilience in financial services” and visit our Service Trust Portal. As noted, for personalized help in assessing risks and meeting regulatory compliance requirements, we offer the Compliance Program for Microsoft Cloud, which includes connections with subject matter experts and in-depth resources. And stay tuned to this blog for more updates on risk, compliance, and cloud services in the coming months.
1 The Digital Operational Resilience Act (DORA).
4 Government of Canada, Third-Party Risk Management Guideline, April 2023.
6 The Digital Operational Resilience Act (DORA), Articles 28, 29.