In July 2015, APRA published an information paper titled ’Outsourcing involving shared computing services (including cloud)’, which outlined prudential considerations and key principles that should be considered when adopting use of cloud computing services. This paper updates the July 2015 paper.
The update is a response to APRA’s observation of the growing usage of cloud computing services by APRA-regulated entities, an increasing appetite for higher inherent risk activities, as well as areas of weakness identified as part of supervisory activities.
Furthermore, since 2015, there has been continuous evolution of both cloud computing service offerings and APRA-regulated entities’ risk management. Generally, service providers have strengthened their control environments, increased transparency regarding the nature of the controls in place, and improved their customers’ ability to monitor their environments. APRA-regulated entities have also improved their management capability and processes for assessing and overseeing the services provided.
APRA recognises that the risks associated with the use of cloud computing services will depend on the nature of the usage, and for the purposes of this paper APRA has classified these risks into three broad categories: low, heightened and extreme.
- For arrangements with low inherent risk not involving off-shoring, APRA would not expect an APRA-regulated entity to consult with APRA prior to entering into the arrangement.
- For arrangements with heightened risk, APRA would expect to be consulted after the APRA-regulated entity’s internal governance process is completed.
- For arrangements involving extreme inherent risk, APRA encourages earlier engagement as these arrangements will be subjected to a higher level of scrutiny.
APRA expects all risks to be managed appropriately commensurate with their inherent risk. However, for extreme inherent risk, APRA expects an entity will be able to demonstrate to APRA’s satisfaction, prior to entering into the arrangement, that the entity understands the risks associated with the arrangement, and that its risk management and risk mitigation techniques are sufficiently strong.
This Information Paper is relevant for a broad audience including boards, senior management, risk management, technical specialists and internal audit.