Financial service providers are increasingly relying on cloud services to drive their digital transformation and develop new business models. However, they are faced with the task of fulfilling regulatory as well as governance, risk and compliance (GRC) requirements. Information security and data sovereignty play a particularly important role here. The Digital Operational Resilience Act (DORA) is also increasing the pressure on financial institutions. This is because it requires the close integration of the outsourcing phases with the risk management cycle as well as complete transparency across all IT contracts.
Financial institutions need to manage the balancing act between dynamic technical development, high regulatory requirements and ongoing IT transformations.
The study "Cloud Transformation & GRC - Harmonising business, IT and governance for cloud resilience" takes a comprehensive look at the hurdles involved in implementing GRC in conjunction with the cloud operating model. It also addresses the requirements for managing cloud governance and cloud security in the financial services sector as well as the specific requirements of DORA.
Cloud technologies in the financial world: these are the hurdles
75 per cent of the financial services managers surveyed want to migrate their IT infrastructure and applications to cloud technologies. Organisational and cultural changes require the outsourcing phases to be closely interlinked with risk management. The focus here is increasingly shifting to the resilience of the cloud landscape. However, a resilient cloud requires specific governance measures focussing on security measures such as monitoring, encryption and access control. Half of the companies surveyed (50 per cent) face challenges in harmonising GRC requirements with outsourcing to the cloud.
New technologies such as artificial intelligence and integrated GRC monitoring tools can help here. However, only 45 per cent of the companies surveyed use dedicated cloud monitoring and 43 per cent use IT governance dashboards. A comprehensive and integrated GRC management strategy is crucial to fulfil regulatory requirements and support business objectives at the same time.
Skills shortage: there is a lack of DORA expertise
The shortage of specialists and experts can also be seen in the GRC environment. Specialists with the necessary specialised knowledge in the area of compliance and with regard to DORA-specific focal points, for example in information risk and security management, emergency management, ICT incident management and third-party risk management, are rare. At the same time, around one in two companies are facing significantly more risks as a result of the cloud transformation, such as the disclosure of confidential information or the disruption of business continuity through cyber attacks.
When identifying structural challenges and knowledge gaps, it is advisable to review the governance and cloud strategy in order to set the right priorities. This is the only way to prepare the IT and cloud target operating model for DORA in the long term.
Navigation plan for companies in our study
In summary, modernising the technological landscape is only possible if governance models and processes are adapted to regulatory requirements. By applying a navigation plan, it is possible to identify complex organisational building blocks within the target operating model, prioritise processes to improve the status quo and overcome silos.
To the study
The study was conducted in cooperation and technical collaboration with the consulting and market research company Lünendonk and analyses how financial service providers want to overcome the challenges of cloud compliance and DORA. For the study, 100 GRC and IT managers from banks, investment companies and insurance companies were surveyed.