For financial-services firms, operational risk is a scourge to be vigorously minimized. Any internally-sourced problem that disrupts business processes not only costs money, but also leads to the slippery slope of reputational risk.

One way to potentially mitigate operational risk is migrating to the cloud, which entails moving data, applications or other business elements from an organization’s onsite computers to an external network of servers.

Among other advantages, cloud servers allow far more enterprise computing in just a fraction of the physical space, via step-ups such as higher-horsepower processors and greater server memory.   

“You have better density from the environment, so there are fewer things that can break,” said Howard Boville, chief technology officer at Bank of America. “You also drive out variability and complexity — we’re not doing custom builds of environments for every application, which was the way of the past.”

Bank of America has completed about 45% of its migration from legacy infrastructure platforms to software-defined infrastructure, or internal cloud, Boville said in a June 28 interview. The objective is to have 80% of the firm’s workflows transitioned over by 2019, according to the CTO.      

“As it applies to public cloud, we’re beginning a series of controlled experiments with a number of providers,” Boville said. “This is to understand how that resource pool put in the cloud would fit within our overall context of different resource pools…We have a series of measures that we work with that tie back to the core mission of the bank, which is responsible growth.”

Boville said that Bank of America’s migration to the internal cloud has resulted in a 92% reduction in ‘level one’ incidents,  which are the unplanned interruptions to IT service or reductions in quality of IT service that need to be most quickly rectified.

With regard to a potential migration to the public cloud, “from a risk perspective, we’ve identified 62 areas that we need to put controls in place from a laws, rules, and regulations perspective,” Boville said. “These include operations, information security, privacy, and business continuity, which we will be testing as part of the controlled experiments.”

‘Framework’ is Key

“Going to the cloud reduces operational risk,” said Bill Fenick, strategy and marketing director, financial services for Interxion, a provider of European colocation data-centre services​. “It’s very prescriptive to the developers, who need to work within a framework which does not allow for exceptions.”

“It’s easier for the operational people to maintain their code because they know that they work within a framework,” Fenick continued. “So from an operational perspective, nobody is doing anything that’s terribly surprising,” which simplifies both the migration and post-migration support of the application, he said.

Automation tools integrated with cloud services is one of multiple ways cloud can reduce operational risk, said Scott Mullins, head of worldwide financial services business development at Amazon Web Services, the biggest public-cloud provider.

Mullins also cited the cloud practice of using standardized machine images and replacing rather than patching faulty components; auto-scaling capabilities that respond well to user requests and enable offline troubleshooting; and automation of security and identity and access mechanisms that cleanly separate duties and ensure that no operation is performed by unauthorized persons.

“Lastly, the automation of change management and the promotion of binaries to higher environments eliminates the risk of introducing error by having different environments,” Mullins said. “Since the infrastructure, as well as the application, are treated as code and deployed as such, there is consistency between environments such as development, Q/A and test, and production.”

One op-risk mitigator for a cloud migration is so-called ring fencing, or the methodology of isolating legacy applications that will not be ported to the cloud. Fenick explained that such legacy applications may still publish data, but no new cloud applications will subscribe to the data, so the legacy apps are ‘ring-fenced’ and can be shut off without unintended consequences.

“In public cloud, you typically have to re-write the application to get the economic benefit and the risk benefit,” said Bank of America’s Boville. “For an organization like ours, with a lot of legacy applications, you are typically rewriting about 5-10% of your application base. That gives you the size of the addressable market that you could move to the cloud. So you would ring-fence those applications.”

“You have to build the flavor of cloud that is relevant to the legacy application you move across,” Boville added. “We’ve had success moving legacy applications onto our internal cloud while improving both cost and risk variables associated with those applications. We’ll look to do something similar externally if it makes sense for the application.”