AWS for Industries
Is your Enterprise Risk Management Framework ready for the Cloud?
Chief Risk Officers (CROs) and the risk function both have an important role to play in the continued digital transformation of financial services institutions (FSIs), and the use of Cloud technology to enable it.
Cloud technology differs from traditional (on-premises) IT solutions, and the relationship between FSIs and cloud service provider is also different to a traditional outsourcing provider.
These differences change the nature of many risks that FSIs face, and how they manage them. However, if cloud technology is implemented in the right way, it can reduce risk and provide tools to help CROs to manage risk too.
The management of financial risk is enhanced through the utilization of modern data management tools, analytics, machine learning (ML), and high-performance compute services in the cloud. The same applies to non-financial risks (NFRs), including technology, third-party, and information security risk; alongside transaction processing and execution risk, fraud, conduct risk, financial crime, and regulatory compliance1.
In the following sections, AWS & Protiviti outline what CROs and their colleagues can do to make sure that:
- The cloud is adopted in a well governed and controlled way so that its risks are well understood and managed, and
- Cloud native services and tools can be used to drive greater efficiency, resilience, and more compliant processes in regulated organizations.
Managing the adoption and use of cloud services – the AWS view
Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. AWS provides cloud services using a shared responsibility model. The customers’ responsibility is determined by the services that it deploys, and how they are configured and used by the business. The shared responsibility model changes the nature of technology-related non-financial risks.
Figure 1- AWS Shared Responsibility Model : As shown in this chart, the differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.
An often-overlooked element of the Shared Responsibility Model is the need for customers need for assurance of the security and compliance of the assets that they deploy into the cloud; as a result, there is a need existing on-premises IT risk management frameworks to be extended into the cloud.
Most of these frameworks have yet to be adapted to account for the cloud and take into account the shared responsibility model and how it is implemented and managed in their organization. Emerging regulations such at the need to meet operational resilience requirements are also making the continuity of services and the proactive management of risks within cloud deployments a priority.
AWS enables risk and compliance teams to act faster using AWS services
The AWS suite is mapped to the 3 lines of defense model: manage risk, oversee risk, and assurance of risk management.
- AWS CloudTrail, AWS Config, AWS Control Tower and AWS License Manager help customers to implement operational controls for their cloud resources.
- Amazon CloudWatch and AWS Security Hub help customers to gain a comprehensive overview of operational health and security posture across their AWS accounts. CloudWatch provides data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.
- Amazon Security Hub is a single repository that aggregates, organizes, and prioritizes security alerts, or findings, from multiple AWS services.
- With AWS Audit Manager, it is easy to assess if your company’s policies, procedures, and activities – also known as controls – are operating effectively.
- AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
The AWS Well-Architected Framework helps you understand the pros and cons of decisions you make while building systems on AWS. By using the Framework, you learn architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. The Framework provides a way to consistently measure your architectures against best practices and identify areas for improvement. Well architected systems greatly increases your security, reliability, and the likelihood of business success.
There are also third-party software vendors that provide solutions to address requirements such as transaction surveillance, fraud identification, advanced ‘know your customer’ (KYC) and anti-money laundering (AML) solutions. These are available via the AWS Partner Network and AWS Marketplace.
With cloud we have the ability to control and monitor with a degree of precision not available on premises. Cloud based processes are also amenable to built-in controls and guardrails that automate numerous previously manual processes. This transparency, automation, and control makes risk management frameworks easier to implement. This capability supports the work of compliance and internal audit teams as part of the three-lines-of-defence model.
Closing the gap between risk and cloud services – the Protiviti view
Protiviti’s research highlights the tension between innovation and risk for executives working in FSIs. Cloud technology is designed for agility, and the ability to make rapid data-driven decisions, while managing risk. Cloud should therefore be at the forefront of any innovation agenda.
Achieving a balance between security, compliance, and service enablement can be challenging, and we see the following common challenges within enterprises:
- Shared responsibility: Customers need additional support to understand customer responsibilities for cloud services, and the differences between these services.
- Control mapping: Whilst AWS provides extensive services to secure and control cloud environments, it remains the customer’s responsibility to ensure coverage and completeness within their cloud environment.
- Skills and training: Training and upskilling is needed to help people understand how key services can be used.
- Connecting teams: Risk and compliance teams need help to evaluate cloud environments for compliance, and typically rely on external third-party support.
- Risk and controls: Although a range of industry standards exist for controls to be deployed into cloud environments, alignment with specific overarching enterprise drivers and compliance requirements is typically not conducted.
A critical element to close the gap between risk and cloud services is to ensure risk teams have visibility of how risk is being managed within the cloud. One way to achieve this is through the design and implementation of a cloud control framework, which translates risk tolerances into specific security and compliance controls within the AWS platform.
Figure 2- Cloud Control Framework
The cloud control framework provides organisations with the following benefits:
- Links to the risk appetite, regulation, and strategic imperatives of the business to cloud risks and services.
- Mapping of cloud risks to industry standard cloud controls (including additional regulatory controls for highly regulated entities), providing a connection between risk appetite to controls used to mitigate risks.
- Tailored mapping of industry standard cloud controls to a range of platform agnostic controls; alongside controls specific to service providers: there is an identity and access management service in AWS, for example.
- Controls can be rapidly deployed using templates and adapted to changing regulatory and compliance requirements.
A cloud control framework helps to trace the risk appetite of the business right through to the technical implementation of controls. This helps reporting for risk management, compliance, and regulatory requirements; improves transparency for audits conducted in the cloud; and helps bring other teams into the process by providing a consistent reference model.
Cloud technology offers the chance to transform FSIs with tools to help them manage the risks they face. But it should be approached with the strategic aims of the business in mind, alongside its appetite for risk, regulatory compliance, and operational resilience. CROs and their colleagues should therefore ask themselves: Is my risk management framework ready for the cloud?, And, if not, what needs to change to help support digital transformation and the benefits it can bring?