Risk & Regulatory Academy 2020 - Deloitte US...problems implementing SAP ^ By the time Lunar was...

Risk & Regulatory Academy 2020

© 2020 Deloitte Central Europe 1© 2020 Deloitte

DAY 5

NON-FINANCIAL RISK

1Risk & Regulatory Academy

© 2020 Deloitte 2

Agenda

Digitize Finance

Approaches and technological enablement in the CFO domain

Sustainable Finance

A practitioner’s perspective

AML and financial crime

New directives facing a new reality

Cloud

Services in the cloud Dr. Sven KleinknechtRisk & Regulatory Senior Managerat Deloitte Germany

Odilon AudouinRisk & Regulatory Leaderat Deloitte France

Dr. Stefan EbenfeldRisk & Regulatory Directorat Deloitte Germany

Thomas WenzelRisk & Regulatory Partnerat Deloitte Germany

Georg VetterRisk & Regulatory Senior Managerat Deloitte Germany

Digitize FinanceApproaches and technological enablement in the CFO domain

4

“The biggest opportunity for big companies has come far in the digitization of internal processes.”

Risk & Regulatory Academy

Jack Welch | GE

© 2020. For information, contact Deloitte Central Europe 5

Need for finance digitalization

Digitalization of the entire finance function is mandatory and inevitable in order to create sustainable, rapidly adaptable structures that ensure the long-term competitiveness of the traditional banking industry

Growth Costs

Compliance

Digitalization

Costs

Digitalization creates a sustainable low cost basis for the operation of the finance function. Adjustments to processes and the organization can be made much more quickly and efficiently.

Compliance

In order to meet the constantly growing regulatory requirements, it is necessary to design processes digitally and efficiently.

Growth

Digitalization of finance processes supports the market areas with controlling-relevant live KPIs, enables fast and efficient product development to secure growth.


Challenges from an outside in perspective

In practice, projects with the goal of digitalizing business processes are often complex, expensive and not necessarily efficient

„KfW: IT costs get out of hand“

„Almost two years after its launch, Deutsche Bank pulls the plug on its digital project Yunar.“

„Too complex – now decentralizationOtto tilts SAP giant project“

„Digitalization project Magellan failed“

„The sales of Gold Bears aredeclining because the Hariboconfectionery group is having problems implementing SAP“

By the time Lunar was completed in 2012, Edeka had invested a total of 350 million euros – and Reinhard Schütte, Edeka’s IT Director at the time, openly described the project as “one of the world’s most complicated SAP installations in recent years.“

Challenges

CostsThe costs associated with digitalization are often underestimated

SkepticismEmployees and managers are skeptical about the plans

E2EDependencies are often underestimated which is why processes cannot be conclusively digitized

Missing strategy with vision and objectivesClearly defined strategy incl. goals of such projects which are based on the vision of the company are often missing

Technology & CompetenceInternal and external competences and technological possibilities are overestimated


Key questionsPhase Dimension

Scoping

Preparation

Evaluation

Targeting

Roadmap

Derive a clear digitalization roadmap

To develop a bank specific, feasible digitalization roadmap it is necessary to focus on more than primarily on IT questions. The transformation plan should consider the key Dimensions of the scoped finance organization.

• Are you limited about the question which units should be

considered?

• Which scope is required to reorganize the target Finance area

• What corporate structure is envisaged

• Have you already modern working methods rolled out

• What kind of communication can be used in the transformation

• Who will act as model and stands positive to the topic

• Who has the required skills in the new finance world

• Can you bring IT, Finance & Risk together and make them work

as a team

• Have you a clear vision about your expectations on the IT

• What are the technical restrictions?

• Are there specifications from a group?

• Are there long-term IT cooperation's?

• Are critical processes already known?

• How would you prioritize the different processes?

• Which tasks should be digitized and which owned by humans?

• Where is change particularly critical in terms of processes?

• Which run activities can be optimized and further automated?

Organization

„Integration of the units relevant for achieving the CFO goal, and lay foundations

People

„Convince your staff about need and advantages and opportunities of digitization. Understand concerns and take away the fear

IT Architecture & Systems

„Develop the Finance IT target architecture in compliance with the CFO vision”

Processes

„Design digital processes completely E2E without exemptions and make them scalebale”

2

3

4

5

1


Result of our approach is a digital finance blueprint

The individual digitalization blueprint will be the basis for upcoming measures and projects to became a reporting factory which ensures compliance and delivers real impact by supporting the business units with relevant information in a timely manner

Organization

• CFO / CRO has developed a future of finance target vision which contributes to the overall bank strategy

• Key competences of Accounting, Regulatory, Risk Controlling, Controlling and Tax has been analyzed and reorganized

• New working models have been designed• Organizational requirements are known• Processes to manage the transformation are in place• High level target organizational structure is developed• Decision making process has evaluated and optimized

People

• Existing staff and management is convinced about the need for more digital in the finance area

• Top management has accepted that mindset change is a journey and not a switch

• Transparency of change in capacity or level of employees is highly recommended

• Skills of employees are transparent and consistently recorded to identy gaps and hire new staff

IT Architecture & Systems

• Expectations of the stakeholders are recorded and priorized• CFO IT target infrastructure has been developed state of the art• Avoiding manual procedures and adjustments E2E – no exemptions• High impact measures has been clearly identified as well as smart

measures with impact on a short notice • Softwarerelease and upcoming change has to be considerd

regarding deployment and test

Processes

• Existing processes are recorded and designed E2E• Manual tasks are centralized for the entire CFO / CRO area• Effective controls has to be considered at the beginning of the

process redesign • New processes are supported by new technologies like Data

Visualization and RPA

9

Illustrative example of digitalization in

accounting


Open items

handling

Challenges within the Record-to-Report Process

Selected components of this process generate significant manual work for Accounting

Record Entity Close Group CloseFinancial Reporting

Validation at source

Intercompany

transactions

Journal Entry

Intercompany

reconciliation

Next generation statutory reporting

From KPI to line item Embedded consolidation Integrated information

Intelligent RPA

Transaction

matching

Automated

operation

Account

reconciliation


Focus: Account Reconciliation

The closing process is often slowed down not only by limited IT support, but also due to the setup of processes, structures and governance

Challenges

Technology Enablement

• Business units or geographies utilize numerous, disparate ERPs and/or subsystems

• Inability to easily collect and review reconciliations and exception items

• Homegrown tools developed to manage reconciliations become dated / unsupported

Governance & Compliance

• Limited ability to apply risk factors to rationalize reconciliation frequency, threshold, and risk ratings

• Policies do not define clear ownership and hand-off points in reconciliation process

• Limited transparency into the accuracy and completeness of reconciliations

Data &Analytics

• No single dashboard to review account reconciliation completeness or exceptions

• Limited visibility to reconciliation volumes, aging of out of balance items, and other KPI’s

• No easy dashboard access for senior executives, Accounting needs to prepare separate Powerpoint slides

Delivery Model

• Decentralized / disparate teams performing reconciliations in various templates / formats

• Resource assignments not aligned with account risk / complexity

• Numerous resources responsible for reconciliations as limited part of job responsibility

Collect data and identify items

Validate and substantiate items

Sign-off / ApprovalsDocumentation and

controlsAudit


Focus: Intercompany transactions

Automating processes for intercompany reconciliation does not solve the root causes of the problem

Common Intercompany Process

Jane Doe

Division B

London

John Smith

Division A

Los Angeles

Challenges

Technology Enablement

• No centralized system to track all intercompany transactions

• Limited use of sub-ledger to track detailed intercompany transactions

• Manual intercompany process (including transaction booking, settlement, reconciliation and

elimination) have the potential for human error

Governance & Compliance

• No enterprise-wide intercompany policy in place to guide intercompany operations

• Manual maintenance of intercompany agreements via emails

• Business segments/units working in silos with disparate systems reduces the transparency of

end-to- end intercompany process

Data &Analytics

• Manual and time-consuming process to report and consolidate transactions

• Lack of reporting capabilities to support ad hoc and local regulatory requirements

• No global standardized chart of accounts

• Limited controls to manage master data changes

Delivery Model

• Non-standardized reconciliation templates

• Delay in intercompany reconciliation process due to inefficient tracking of end-to-end

intercompany transactions

• Large volume of manual top-side elimination entries during close with limited validation

© BlackLine


Solution example: R2R Automation with BlackLine

The cloud-based platform and SAP solution extension BlackLine is a mature solution, being in the market 20 years, to automate accounting processes

At Deloitte, hundreds of consultants are certified in BlackLine modules. But a “pure plug & play” implementation is not sufficient to achieve the desired results. Deloitte can help to really transform accounting processes and controls, complying with all regulatory and audit requirements.

In more than 150 BlackLine projects globally, we helped our clients to achieve better quality of their accounting, to better manage related risks and to reduce costs.

© BlackLine

Sustainable FinanceA practitioner’s perspective


From a practitioner’s perspective, regulatory initiatives on Sustainable Finance put forward expectations that require the development of new qualitative as well as quantitative and data-driven approaches for ESG & climate risks management.

Overview

Fields of action

1. Risk identification & Risk inventory

• ESG Taxonomy: Risk factors, transmission channels and mitigation

• Methodology: (1) Climate risk heatmap & PACTA (2) ESG scoring

2. Loan origination & Credit ratings

• Loan origination: See Risk identification & Risk inventory

• Rating methodology: (1) Override/notching based on ESG score(2) UNEP FI methodology for credit risk

• Data management: (1) ESG data providers (large corporates vs. SMEs)(2) Portfolio-extension of ESG scores (shadow rating)

3. ICAAP & Climate stress testing (30y time horizon)

• Climate risk: UNEP FI methodology for credit risk

• S- and G-risks: Operational and non-financial risks

• Regulatory climate ST: (1) DNB (2018) – scenario analysis(2) PRA (2021) – fully integrated / 30y time horizon

• ICAAP: Shock scenarios for ESG & Climate risk (economic perspective)

• Climate ST (30y): (1) Forecast of PD, LGD & EAD similar to IFRS 9 LECL(2) Extension of IPCC climate scenarios (macrofinancial)(3) Enhancement of UNEP FI approach

Regulatory initiatives

TCFD Recommendations (2017) – Climate risk disclosure

• Change of paradigm: Climate risk = Financial risk

• Scope: Governance, Strategy, Risk Mgt., Disclosure (metrics/targets)

UNEP FI Methodology (2018) – Climate risk measurement

• Transition risk: Fundamental analysis of balance sheet impact

• Physical risk: LTV (mortgage) or PD (energy/agriculture) impact

EBA Guide on Loan Origination and Monitoring (2020)

• Incorporation of ESG in risk appetite, policies & procedures

• Incorporation of ESG & climate risk factors in credit ratings

ECB Guide on Climate-related and Environmental Risk (2020)

• Integration of climate (ESG) risk into existing risk categories

• Extension of ICAAP time horizon for material climate risks

EBA DP on Management and Supervision of ESG Risks (2020)

• Portfolio Alignment Method: Alignment with sustainability targets

• Risk Framework Method: Impact on portfolio and standard KRIs

• Exposure Method: Impact on individual clients & exposures


From a practitioner’s perspective, a roadmap to holistic ESG implementation should cover all aspects of the TCFD Recommendations(i.e. Governance, Strategy, Risk Management and Disclosure) with work streams aligned to the bank’s organizational chart.

A holistic approach to implementing regulatory expectations regarding ESG risks

ESG Regulatory aspects

ESG Strategy and Conceptual Design

ESG Governance

ESG Products/Services and Customers/Suppliers

ESG Risk Management Cycle: Financial and Non-Financial Risks

ESG Accounting and Disclosure

ESG Operations and IT

1

2

3

4

5

7

6

Step 1

Identify climate risks in portfolios, and assess the organizations capacity to identify, measure and manage them• Develop specific climate risk heatmap for the organization• Leverage outside sources such as PSI heatmaps, EU taxonomy, PRI risk indicators, etc.

Step 2 Identify climate-related opportunities, and assess the organizations capability to exploit them

Step 3

Establish overall responsibility of board and senior management regarding climate risks• Risk strategy and risk appetite• Roles and responsibilities• Policies and processes• Management reports

Step 4

Set up organization-wide strategic approach – implementation plan• Understand impact of climate change on the organizations risk profile• Identify need to adapt strategy and governance• Set clear targets, planning and budget• Assign responsibilities and reporting lines for the project• Ultimately, implement amendments to policies and processes

Step 5

Establish risk management cycleRisk identification• Use heatmaps to identify climate risk concentrations• Perform scenario-based sensitivity analysesRisk assessment• Consider ESG risks in credit decisions, e.g. by extending internal ratings with ESG risk factors• Perform dedicated climate risk scenario analysis/ stress tests for credit portfolios• Perform dedicated climate risk performance analysis for investment portfoliosRisk avoidance/mitigation and risk monitoring• Amend risk appetite statement with dedicated climate risk limits• Amend credit and collateral policies with dedicated climate risk rules• Amend client and transaction acceptance with dedicated climate risk rules• Encourage clients to transfer risk (e.g. by taking climate risk insurances)• Mitigate impact of physical climate risks on the organization’s operations

Step 6Set up climate risk disclosure reports• Scope: Carbon footprinting, green/brown exposure, company engagement, ratings and research, scenario

analysis, impact metrics

Roadmap Work streams


From a practitioner’s perspective, ESG scoring on the one hand and assessment of climate impact on borrower KPIs on the other are at the core of integrating ESG and climate related risks into credit ratings.

Credit Ratings

UNEP FI methodology for transitionalclimate risks

Climate scenarios

• Output of Integrated Assessment Models, e.g. IPCC climate scenario data

Top-down module (borrower level)

• Fundamental analysis – calculate impact ofscenario variables on individual balancesheet & income statement

• Calculate scenario PD based on scenariobalance sheet & income statement usingrating system (scorecard approach)

Bottom-up module (portfolio level)

• Extrapolation of results to portfolio levelbased on clustering

Industry-standard implementation

• Use of scientific climate scenariosas is (IPCC data base)

• Carbon price is essential risk driver

• Impact of carbon price on BS/IS asof today (static BS/IS assumption)

• Calculate scenario-PD based onrating systems

Benchmarking of ESG scoring providers

Lessons Learned

• ESG scores are determined by aggregatingpartial scores and detail variables

• The sub-scores are defined by rank orderingaccording to certain ESG criteria

• ESG topics are assessed on the basis oftwo dimensions:(a) Risk exposition(b) ESG management quality

MSCIScorecard


Showcase 1: Enhancement of (IPCC) Climate Scenarios

• Expansion of (IPCC) climate scenarios combining regression and auto-regression methods with expert judgement (Error Correction Model)

• Integration of incremental physical climate risks in the scenario forecasts (e.g. temparature and rainfall)

Showcase 2: Enhancement of the Credit Module

• Lifetime ECL approach (Vasicek model) is suitable for long time horizons

• Stable calibration of PD portfolio average thanks to single-factor model

• Additional borrower-level module based on UNEP FI methodology

Showcase 3: Integration of Asset Carbon Sensitivity

• Similar to scenario generation with extended scope of market variables

• Parametric representation of curves/surfaces & dimensionality reduction

• Use of advanced algorithms, esp. Big Data Analysis & Machine Learning

Milestones

• Workshop with PIK (Potsdam Institute for Climate-related Research) on 19/11/2020

• FBDC project (400 man days Sustainable Finance, thereof 100 man days ClimateScenario Extension) starting January 2021

• ClimWISE pilot project – to be started

From a practitioner’s perspective, the focus regarding climate risks is on stress testing where the UNEP FI methodology leaves room for improvement, especially in view of scenario expansion to regulatory scope, portfolio-level calibration of PD forecasts and assessment of climate risk on fair value assets.

Climate Stress Testing (30y time horizon)

IPCC database: Forecasts of climate-related variables until 2100 combined with historical data

Forecasts of macrofinancial variables until 2100 combined with historical data

Portfolio data: Annual default rates & calibrated Vasicek parameters Result: Forecasted scenario PDs

AML and financial crimeNew directives facing a new reality


Fraud

• International sanctions cover freezing of assets and embargo. They can be linked to political sanctions against a country or region or the fight against terrorism

• Historic example of success of international sanctions: Sanctions against South Africa that led to the end of Apartheid, imposed between 1977 and 1989

Market abuse and conflict of interests

International sanctions: Freezing of assets and embargo

Tax evasion and due diligence

Anti-money laundering and counter terrorism financing AML/CTF

Anti-bribery and corruption - ABC

• The goal of ABC is to combat any “offer, promise, gift, acceptance or solicitation of an undue advantage of any value, in violation of applicable laws, to induce or reward a person to act or not to act within the scope of his or her duties”(Definition taken from the ISO 37001 Standard)

• AML/CTF designates legal, regulatory and operational measures for combating money laundering and terrorist financing:

• Money laundering is the processing of criminal proceeds to disguise their illegal origin.

• Terrorism Financing is the use of licit or illicit proceeds to finance organizations or acts of terrorism.

• Market abuse encompasses unlawful behaviour in the financial markets and consists typically consists of:

• Insider dealing • Unlawful disclosure of inside information• Market manipulation

• Tax evasion generally includes the deliberate concealment or misrepresentation of beneficial ownership of assets, income and gains, or otherwise fraudulent conduct, designed to divert money from the public revenue

• Several regulations and directives have recently been put in place to increase tax transparency: FATCA, CRS, DAC 6

• Fraud can be defined as an intentionally deceptive action designed to provide the perpetrator with an unlawful gain or to deny a right to a victim.

• One famous type of fraud is the “Ponzi Scheme”. The original Ponzi Scheme was organized by Charles Ponzi and dates back to the 1920s (linked to investments in postal coupons).

Setting the scene - key financial crime themes

Financial Crime Overview

$715bn - $1.87tnestimated to be laundered

globally each year

(2-5% of GDP)1$180bn Spent by FSI entities globally

to prevent criminal intrusion2 <1% of illicit financial flows

are intercepted3 CxOs concerns

1. United Nations Office on Drugs and Crime (“UNDOC”): https://www.unodc. org/unodc/en/money-laundering/globalization.html ; 2. LexisNexis (March 2020) The True Cost of Financial Crime Compliance Report, p.8 ; 3. Europol (2017) ‘From Suspicion to Action: Converting financial intelligence into greater operational impact’ p. 4


The EU regulatory journey

Financial Crime Regulation

Dec. 2001

June 1991 Oct. 2005

May 2015 Nov 2018

1st AML Directive

91/308/CEE

• First rules for the financial sector to

combat criminal money

laundering

2nd AML Directive

2001/97/CE

• extended scope of vigilance and the

obligations to report to

non-financial activities• customer identification,

record keeping• suspicious transaction

reporting.

3rd AML Directive

2005/60/CE

• Incorporates many of the FATF Forty

Recommendations

• Introduction of a risk-based approach

• Extension of ID&V• UBOs

4th AML Directive

2015/849

• Wider regulatory scope• Beneficial ownership

(UBO) information in

centralized registers• Expansion of the risk-

based approach:• Tax crimes

• Domestic PEPs.

5th AML Directive

2018/843

• Cryptocurrency• Prepaid cards

• High value goods

• EDD for High-risk countries

“6th AML Directive”

Directive (EU) 2018/1673

• harmonized definition of

money laundering

across all EU• Additional offenses:

• Extension of criminal liability

• Tougher punishment

7th AML Directive ?

• New authority – see

next slide


• On November 4th, Finance ministers from European Union member states have agreed to establish an EU body to fight money laundering across the bloc.

The European Commission unveils an ambitious Action Plan on which it intends to deliver by early 2021.

Financial Crime Regulation

Synthesis and perspective on the EC’s proposed measures with some actionable takeaways for obligated entities (June 2020)

1

3

4

5

6

2

Effective implementation of the existing AML/CFT framework

A single EU AML/CFT rulebook

EU-level AML/CFT supervision

Coordination and support for EU FIUs

Enforcing EU-level criminal law provisions and information exchange

A stronger EU in the world

Growing momentum behind a clear—and increasingly vocal—multi-stakeholder consensus for change.


Current & future Challenges

Financial Crime challenges

Digital disruption

Regulatory pressure

Pressure from civil society

Rapidly evolving threats & risks

Global complexity

Cost pressure

How do we

proactively and

intelligently prevent

financial crime?

How do we stay

ahead and protect

against new and

evolving threats?

How do we best

adopt tech-enabled

approaches

enterprise wide?

Take into account impact of COVID 19

Secure & get the basics rights

Scale

Optimize

Establish core controls to ensure regulatory and policy compliance in all FC activities

Evolve to incorporate broader proposition features and increase throughput via automation and standardisation

Adopt a more intelligent-led approach, leveraging insight gained over time making use of resources and technology without compromising FC risk management practices

Typical Financial Crime Client Journey

• More mature institutions and jurisdictions are at an inflection point and require transformative

FinCrime management approaches (moving from Secure and Resolve to more pro-active solutions)

• Demand is accelerating for next generation approaches relying on tech solutions, innovation and

optimization of the Target Operating Model

New FinCrime Approaches

Required 1

2

3


Illustration – focus on processes

Financial Crime & tech

KYC Monitoring Special Analysis

Collect Client & Transaction

Data

Scenario Development and Management

Generation and Selection of Alerts

Analysis and Investigation Process

SAR Non-communication report

Verification process

Identification of additional

scenarios

Collect data on customers and

operationsGeneration of Alerts Initial search for information Descriptive of the File

Transactional operational

verification

Scenario Tuning Digital Onboarding Alert Risk Scoring Initial reviewSAR/Non-communication

report

Support documentation

verification

Gather relevant transaction

informationAdditional searches

Attach information and

support documentationReport verification

Gather relevant KYC

informationAutomated Narrative Drafts

Alert Assignment

B

C

D

E

F

G

H

Potential – Robotics

Potential – Cognitive Intelligence

Leverage disposition data for

stratification, smart routing, specialized

procedures

Alert Triage, Stratification & Smart Case Routing

D

Collection and aggregation of

information for investigation purposes

Alert Review PreprocessingC

Automate drafting of initial case

investigation summary narratives

Automated Narrative DraftsE

Leverage cognitive to support and

augment investigator judgement with

anomaly detection

Anomaly Detection / Investigator Guidance

F

Automate population of SAR form and supporting material for review

SAR Form PackagingG

Extract check data from images for

filtering and review

Check Image RecognitionH

Natural and Legal Persons. Self

Sovereign Wallet. Blockchain

Digital OnboardingA

A

Leverage historical alert and case

information to more effectively triage

alerts for investigation

Alert Risk ScoringB

Anti-money launderingCounter terrorist financing Economic Sanctions Know Your Customer - KYC

Cloudservices in the cloud


on-demand self-service

A consumer can unilaterally

provision computing capabilities,

such as server time and network

storage, as needed automatically

without requiring human

interaction with each service

provider.

broad net-work access

Capabilities are available over the

network and accessed through

standard mechanisms that

promote use by heterogeneous

thin or thick client platforms (e.g.,

mobile phones, tablets, laptops,

and workstations).

resource pooling

The provider’s computing

resources are pooled to serve

multiple consumers, with

resources (e.g. storage,

processing, memory,

bandwidth) dynamically

assigned and reassigned

according to consumer demand.

The customer generally has no

control or knowledge over the

exact location of the provided

resources but may be able to

specify location at a higher level

of abstraction (e.g., country or

datacenter).

rapid elasticity

Capabilities can be elastically

provisioned and released, in

some cases automatically, to

scale rapidly outward and

inward commensurate with

demand. To the consumer, the

capabilities available for

provisioning often appear to be

unlimited and can be

appropriated in any quantity at

any time.

measured service

Cloud systems automatically

control and optimize resource

use by leveraging a metering

capability1 at some level of

abstraction appropriate to the

type of service (e.g., storage,

processing, bandwidth, and

active user accounts). Resource

usage can be monitored,

controlled, and reported,

providing transparency for both

the provider and consumer of

the utilized service.

Essential Characteristics of Cloud Computing


Facilities

Organization

Hypervisor

Application Server

Application

Virtual Machine

OS

Application

Application

Client Client

Infrastructure-as-a-Service (IaaS) Platform-as-a-ServicePaaS

Software-as-a-ServiceSaaS

Clo

ud

Se

rvic

e P

rovi

de

rP

urc

has

ing

ban

k

Clo

ud

Sta

ck

Data

Client

IaaS Computing infrastructure (virtualized processing, storage and network environment) as scalable and elastic service

• HPC / Grid, Analytics• Web apps and services• Scenario analyses (e.g. Monte

Carlo simulation)• Storage services

PaaS Design, development and implementation of applications and services on the Web; computing platform and solution package as a service

• Application design, development and test environments

• Data storage and access services• Web service integration• Integration of database systems

SaaS Provider licenses application for the customer to use as service-on-demand

• Non-core applications like HR and CRM

• Office Productivity / Support Applications

• Email, document management, collaboration and workflow

Typ Definition Examples Provider

Cloud computing offerings can be assigned to specific service models depending on their type


• More than 35% of IaaS revenue worldwide is estimated to be earned by Virtual Private Server (VPS)

• There are regional, small providers who do not directly compete with hyperscale providers such as AWS, Microsoft

• Small players are confined to local markets, with limited capabilities and no supporting ecosystems

• The markets considered under SaaS include offerings like ERP, CRM, content Services, Collaboration Services, Office Suites and Supply Chain Management Solutions

• The individual growth rates across applications is remarkably high, making ERP, CRM, Office Suites to reach $10Bn mark.

• Business Process as a Service (BPaaS) is emerging lately and is occupying major chunk is the PaaS market share.

• The market size for BPaaS are 61.3B (2018), with projected market size of about 100B by 2023, growing at CAGR of 10.37%

• Cloud Payments, Customer Management, Human Resources are some of the major subsegments growing at ~10% CAGR under BPaaS

PaaS [w/o BPaaS]

FY18: $16BFY23: $35.72BCAGR: 17.41%

IaaS

FY18: $39.5BFY23: $119.77BCAGR: 24.84%

Source: Gartner 2018/2019 Data Packs and Press Release

SaaS

FY18: $80BFY23: $158.4BCAGR: 14.64%

PaaS: Integration middleware & Database

PaaS: Application

Key:

SaaS: CRM

SaaS: Productivity Applications (Office, Content Mgt., Collaboration)

SaaS: ERP

SaaS: Business Process as a Service

% Percent of Market Share

Others1

45.2%Amazon19.8%

Salesforce15.1%

Microsoft6.4%

IBM4.5%

Atl

assi

an2

.4%

Oracle2.0%

SAP1.9%

Go

ogl

e2

.3%

Alibaba1.8%

Informatica1.9%

Others1

44.4%Microsoft

18%Salesforce

12.5%

SAP6.3%

Oracle6.9%

Google3.2%

Adobe2.4%

Wo

rkd

ay2

.8%

IBM

1.1%

Dro

pb

ox

1.1%

Ultimate Software1.3%

Private IaaS2

24%1

AWS39.7%1

Others1

45.7%1

Microsoft7.1%

Alib

aba

3%

Google2.3%

Rackspace2.2%

Public IaaS 76%1Includes cross industry SaaS Players (Ultimate Software, Dropbox); Cross Industry PaaS Players (Alibaba, Informatica); Cross Industry IaaS Players (NTT Communications, Fujitsu, Dimension Data) in the others

quadrants for aforementioned market shares2IaaS Market share numbers are divided among Public and Private Cloud Vendors. Private IaaS Market numbers are arrived at by calculating difference between Total IaaS Market numbers and Public IaaS Market numbers.

Top Tier Market Players

Mid Tier Market Players

Other Market Players

Providers in each area remain fragmented, but thereis a consensus emerging around certain leading vendors

Market Analysis – Provider Market Share


Ab

ility

to

Exe

cute

Completeness of VisionLow High

Low

High Leaders

Capabilities of CSP Behavior in the initiation phase

Niche Players Visionaries

Challengers Vertrags-

gestaltung

Service Reports

Reaktions-

geschwindigkeit

Betreuungs-

kapazitäten

Regulatorisches

Verständnis

AWS Azure GCP

• AWS, Azure and GCP operate with a good understanding of the requirements, access to the appropriate resources is not always easy

• Fundamental difference compared to conventional IT service providers in contract negotiations and reaction to customer needs

• Even small differences can exclude certain use cases due to regulatory requirements

• The field of relevant Cloud Service Providers is clearing up, as only a small number of competitors have the necessary performance

• AWS and Microsoft dominate when it comes to applications that are more than a pure IaaS use case - especially in the PaaS environment.

• Cloud IaaS and PaaS are neither a commodity service nor a hardware rental - it is more and more about the ecosystem around the providers (service providers, expertise of employees, tools, ...).

• Regulatory issues are similarly well handled by the major cloud providers

Qu

elle

: G

art

ner

Ma

y 20

18

AWS, Azure and GCP are the "secure" choice for public cloud providers

Evaluation of Cloud Service Providers


C Special financial institution Universal bank Captive major development bankCaptiveUniversal bankKey

Ove

rall

Mat

uri

ty

AdoptionLoB Enterprise

Low

High

Operating

Innovating

ProactiveReactive

Cloud Security Proactive implementation of controls to address regulatory requirements

Centralized and automated management of cloud security

Cloud Operating Model Introduction of cross-functional teams for design, build and operate to avoid silos (product, platform and service teams)

Use in small and agile "Tiger Teams”

Cloud Technology Infrastructure modernization (virtualized, containerized and focus on reusable resources)

"Full Stack" Automation

New development is "cloud first", partly with "born in the cloud" cloud-native technologies

C

C

C

C

Advanced / Automated

Basic / Manual

Invested in Innovation

Invested in Running

Deloitte perspective (January 2020)

Deployment of 300 releases per day

using public cloud tools

Global examples (not shown in the peer group)

Use of cloud tools and automation - Disruption of

direct credit and process speedUse of "pre-built" solutions to improve

time-to-market by 66%

GlobalBank

Positioning Examples for Cloud Capabilities

Cloud deployment leaves the pilot phase, often driven by external pressure

Development of the cloud computing usage


Category EBA EIOPA ESMA BaFin

Regulation• Guidelines on Outsourcing Arrangements

• 02/2019

• Guidelines on outsourcing to cloud service providers

• 01/2020

• Consultation Paper: Draft Guidelines on Outsourcing to Cloud Service Providers

• 06/2020

• Guidance on outsourcing to cloud service providers

• 11/2018

Objectives• harmonized framework for all financial institutions within

EBA’s mandate

• cloud as outsourcing with special requirements

• harmonized framework for cloud outsourcing in line with EBA guidelines

• clarification and transparency to avoiding potential regulatory arbitrage

• purpose of the consultation is to gather evidence on the operations of the ESAs

• strengthening and improvement of effectiveness and efficiency of the ESAs

• guidance as a orientation aid for outsourcing of cloud services

Applicable for• credit institutions and investment firms subject to the CRD

• payment and electronic money institutions.• insurance and occupational pensions authorities

• ESA, financial institutions and other market participants, national supervisors/ ministries, NGOs and EU institutions

• credit institutions, financial services institutions,

• insurance companies, pension funds

• investment services companies, capital management companies

• payment institutions and e-money institutions

Risk Analysis

• scenarios of possible risk events, quantitative analysis for large or complex institutions

• concentration risks and aggregated outsourcing risks, for significant institutions step-in risks

• mitigating measures

• sub-outsourcing, long/complex outsourcing chains

• sensitivity of data and systems

• applicable law and political stability

• legal, ICT, compliance and reputational risks

• expected benefits and costs

• legal, ICT, compliance and reputational risks

• service and deployment model, migration



• sub-outsourcing and concentration risks

• information and communication technology, information security, business continuity, legal and compliance, reputational risks, operational risks, oversight limitations

• service and deployment model, migration


• interoperability and portability


• concentration risks

• privacy, service support and BCM

• The risk analysis is to take account of all aspects that are relevant for the supervised company in connection with outsourcing to cloud service providers, with the extent of the analysis depending on the type, scope, complexity and risk content of the outsourced items.

Contract Requirements

• clear description of the outsourced function, start date and end date, financial obligations, insurance

• conditions for sub-outsourcing

• information security and privacy

• data location, applicable law, data recovery

• monitoring, SLAs, reporting of CSP, BCM

• audit rights and cooperation with resolution authorities

• termination rights





• monitoring, SLAs, reporting of CSP, BCM

• audit rights





• monitoring, SLAs, reporting of CSP, BCM, incident management

• audit rights

• scope of performance

• information and audit rights

• rights to issue instructions

• data security/protection

• location of data storage

• termination provisions

• chain outsourcing

• information duties

• notice of applicable law

Details vary, but general thrust of regulation is very similar

European Regulation on Cloud Overview


Our Cloud Computing Risk Intelligence Map

provides a holistic view of cloud-specific risks that

financial institutions need to address.

Cloud Risks

Deloitte Cloud Computing Risk Intelligence Map


Management of the cloud at financial institutions, including staffing and qualifications must be in line withcloud usage.

Requirements for the ICS environment for use at financial institutions often

exceed the capabilities of the service provider and may not be compatible with

the business model.

Physical location of the data or access abroad may pose a

risk.

Security, privacy, monitoring, service support and BCM in line

with data processed and processes supported

For the financial institution, the financial sector as a whole

and excessive outsourcing – including sub-outsourcing

Granting individual inspection rights can be

difficult with certain providers.

Audit rights

Cloud Governance

ICS at the cloud provider – information security and privacy

Concentration Risk & Sub-Outsourcing

Location, applicable law and political stability

Sensitivity of data and systems

Usage of cloud solutions leads to additional operational risks, which are the focus of supervision


Controls in the shared responsibility model

Cloud service providers provide so-called third-party assurance as proof of their internal control system. These reports represent the CSP's ICS. In addition, the adequacy and functionality of the controls is confirmed by an audit certificate from auditors. The coverage of this Third-Party-Assurance is limited to the controls that are solely the responsibility of the CSP. Facilities

Organization

Hypervisor

Application Server

Application

Virtual Machine Data Client

OS

Application

Application

Client Client

Infrastructure-as-a-ServiceIaaS

Platform-as-a-ServicePaaS

Software-as-a-ServiceSaaS

Clo

ud

Se

rvic

e P

rovi

de

rP

urc

has

ing

ban

k

Clo

ud

Sta

ck

Control

Control

Control

Control

Control

Control

Control

Control Control

Control Control

Control Control

Control

Control

Control

Control

Control


Cloud Governance Cloud ICS CSP Compliance Platform Monitoring

Phase 1: Define Cloud Strategy

Cloud governance and cloud ICS build on each other

Qu

alit

y G

ate

& A

pp

rova

ls

Phase 3: Define Cloud ICS

Qu

alit

y G

ate

& A

pp

rova

ls

Qu

alit

y G

ate

& A

pp

rova

ls

Phase 5: Continuous

monitoring &

improvement

Cloud Compliance introduction Further development

Phase 2: Establishing of Cloud Governance

Amazon Microsoft Google

Co

mm

on

Clo

ud

Co

ntr

ols

CSP

Sp

eci

fic

Co

ntr

ols

Complementary User Entity

Controls


Controls


Controls

Cloud Strategy

Shared responsibility model

Fixed written order

Approvals and resolutions

Deployment Modell

Ou

tso

urc

ing

con

tro

l

Ris

km

anag

em

ent

Dat

ap

rote

ctio

n

ISM

S

Cloud Governance

GL

TOM

2nd

Lin

e

Phase 4: Parameterization of the CSP

ASSET BCM COMSEC

DP OS CRYPT

IAM MDM OPS

IS ORG HR

SEC INC …

Cloud Computing Risk Intelligence Map

Ris

ks

Compliance "Guardrails" in the parameterization of the CSP, so

that measures are obligatorily kept.

The aim is to use a compliance platform to restrict the degree of

freedom of the users (e.g. developers) so that use is only possible

within the defined cloud controls.

ASSET BCM COMSEC

DP OS CRYPT

IAM MDM OPS

IS ORG HR

SEC INC …

Securing the cloud in the cloud via configuration of preventive and detective controls in the code

Cyber Threat Intelligence

Adapt compliance platform to requirements

Cloud Governance development

CSP Monitoring

Audits

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited, which are separate and independent legal entities. The subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited are among the region’s leading professional services firms, providing services through nearly 7,000 people in 44 offices in 18 countries.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited („DTTL“), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.

© 2020. For information, contact Deloitte Central Europe

Risk & Regulatory Academy

Risk & Regulatory Academy 2020 - Deloitte US...problems implementing SAP ^ By the time Lunar was...

Documents

Transcript of Risk & Regulatory Academy 2020 - Deloitte US...problems implementing SAP ^ By the time Lunar was...