Sogeti: Cloud Case Regie 1 July

Transcription

1 Sogeti: Cloud Case Regie 1 July Robeco Ronald Koot For institutional investors 1

2 Content Robeco Sourcing / Cloud strategy Vendor Controls Cloud Case Robeco 2

3 Facts and Figures Founded in Rotterdam in 1929 Currently part of Orix group after acquisition in 2013 Part of Rabobank group during the decision and implementation Cloud Solutions A pure-play asset manager: investing is all that we do with an active investment style Core investment capabilities complemented by specialized subsidiaries Global leader in sustainability investing 1,500 employees in 13 countries across Europe, the US, the Middle East, Asia and Australia IT Strategy of standardization and reduction of complexity IT Strategy of reducing costs 3

4 Facts and Figures Robeco IT Facts en Figures 120 FTE (internal and external); Servicing Asset Management, Pension Solutions, Retail and Corporate Departments; Servicing around 1000 people in the Netherlands; Servicing around 200 people internationally (mainly in 6 sales offices) with Wide Area Network and a limited number global applications (such as Trading, CRM and Office365). 4

5 Robeco-IT Outsourcing and Cloud perspective Robeco is an early adopter in the financial services sector regarding IT Sourcing and Cloud; Robeco has a culture of being challenging, opportunistic, entrepreneurial and pragmatic approach/attitude towards IT Sourcing providers; We have limited own IT : We have outsourced our infrastructure (Datacenter, WAN, Desktop, Service Desk); We have minimal custom developed software (mainly in Integration and End User Computing); We have a highly virtualized environment without mainframes as of the end of 2013; We have multiple SaaS and Cloud solutions deployed. Our cloud decisions are based on an extensive risk analysis: Policy and Organizational risks such as loss over governance, cloud service termination and lock-in; Technical risks such as data leakage, DDoS, Deletion of Data, Intercepting data in transit, Encryption, data location en separation of environments, virtualization; Legal risks such as data protection, termination, exit clauses/procedures, right to audit; Others risks such a network breaches and traffic, back-ups, lost of log files. 5

6 IT Sourcing Strategy > Cloud (SaaS) Based on the goals of IT Sourcing, challenges and experience, Application sourcing remains a strategic component of IT Sourcing: Continue to implement packages and standard solutions above custom made solutions (Buy before Build principle). Packages and applications can be implemented SaaS based or on premise. Starting points for Application Sourcing SaaS solutions for non core applications and processes; Custom software only for differentiating applications when standard software is not available/suitable; Investments is build around the simplicity architecture (standard packages, potentially SaaS based); Pension Solutions is build around BPO offering; Retail is build around SaaS/Cloud platform and a custom build website OFS; Corporate Domain and Sales & Marketing is build around standard SaaS deliver solutions. Continue using Application specific IT Sourcing (such as SaaS) based on predefined criteria, including: Reuse of the existing applications, solutions, vendor in order to reduce complexity and become cost efficient; Business case; Business criticality, risk impact; Architectural fit and position in the overall landscape; Amount of integration and interfaces with other applications; Data classification. 6

7 Vendor Control Instruments For institutional investors 7

8 Vendor Control Instruments Identified roles in the control of vendors Generic control model for vendors Distinction in type vendors Risk and importance of a vendor for Robeco Vendor Control Framework Risk Analysis 8

9 Waarde Structure of IT Contract Management Depending on the Kraljicscore a Governance will be implemented: Strategic: IT Contract Owner and/or Business Owner have 1 or 2 times a year a strategic meeting with the key 3rd party vendors about developments at Robeco/vendor and, based on performance of the vendor. Tactical: the Vendor Manager is in the lead for organizing a regular meeting, reporting and evaluation of the vendor. Also Business Owner/representatives and/or IT Contract Owner will participate. Operational: Business has regular meetings with vendor on an operational level together with the Vendor Manager Kraljic Analyse Leverancier 12 Leverancier 11 Leverancier 13 Leverancier 14 Leverancier 8 Leverancier 7 Leverancier 4 Leverancier 9 Leverancier 10 Risico Leverancier 3 Leverancier 5 Leverancier 6 Leverancier 1 Leverancier Key roles in the Governance IT Contract Owner Represents GIS in relation to the services (ICT components) delivered by the vendor to the Business Owner. IT Contract Owner is accountable for the budget except for BPO contracts. Business Owner Represents the end-user organization. Is responsible for the functional part of the vendor provided services. Assesses, initiates and approves changes related to the delivered services.. Vendor Manager Facilitates the Vendor Management processes in order to support the Business Owner and the IT Contract Owner with service levels reporting, financial control, contract management and setting up the governance. Purchasing Facilitates the procurement process during the RFI/RFP phase and negotiation. Robeco 9

10 Vendors in Control In 2014 IT Contract Management will focus on Vendors in Control from different perspectives: Financial in control: We are in control and our costs are in line with budgets License in control: We are compliant and we are not over licensed. When license audits take place we have to be confident and impact is minimal Contract: Depending on the type of contract we have all required clauses such as Escrow, Exit, Right to Audit, Data privacy, assurance. Reporting: Depending on the type of contract we receive relevant and adequate reporting on SLA s and Security Therefore we have created the Vendor Control Framework in cooperation with Legal, Purchasing, Risk Management and Compliance. Categories o Legal o Assurance o Compliance o Security o BCM o SLA o Reporting Control Contractual aspects Infra Outsourcing Vendors SAAS Vendors Business Software License Vendors Infra Softw. and Development Softw. Licenses Vendors BPO Vendors Key Overige Key Overige Key Overige Key Overige Key Overige General Applicable Law x x x x x x x x x x NDA / Confidentiality clause x x x x x x x x x x Third party clause confidentiality x x x x x x Service Description Description of the Service x x x x x x x x x x Use Restrictions Entities/affiliates allowed to use x x x x x x x x x x Scope of Use x x x x x x x x x x Export laws License structure x x x x x x x x Intellectual Property (for Robeco specifics) x x x Robeco 10

11 Risk Analysis for (new) Vendors Type Risk o Organizational risks o Technical risks o Compliance Risks Risk based on o Probability o Impact o Risk mitigation adjustments o Residual Risk In cooperation with o Operational Risk Management o Security o Business Nr. Risks Description of inherent risk Organizational risks 1 P1. Lock-in Risk of not being able to migrate easily from one provider to another 2 P2. Loss of Governance Control and influence on the cloud providers, and conflicts betw een customer hardening procedures and the cloud environment. 3 P3. Compliance challenges The risk of CP s w hich cannot provide evidence of compliancy to all relevant requirements, policies, law s etc. 4 P4. Loss of business reputation due to cotenant activities tenant affecting the reputation of another tenant. Risk of malicious activities carried out by one 5 P5. Cloud service termination or failure The risk of providers to go out of business. The risk of unclear data ow nership. 6 P6. Cloud provider acquisition Acquisition of the cloud provider could increase the likelihood of a strategic shift and may put nonbinding agreements at risk. 7 P7. Supply chain failure A cloud computing provider can outsource certain specialized tasks of its production chain to third parties. The risk of non-compliancy of those subcontractors. 8 Changing regulations This risk of changes in law s and regulations could impact the requirements for both the financial institution and the cloud provider. Changes in regulations could also impact the risks for the outsourcer. 9 Insufficient skills and know ledge to identify risks related to Outsourcing / Cloud computing If the financial institution has insufficient know ledge to identify the risks involved or to assess the operational effectiveness of the controls af the Cloud Service Provider outsourcing is not allow ed. Monitoring outsourcing requires specific skills and know ledge. Robeco 11

12 3 rd party key vendors The following criteria (at least 2 scored per vendor) are used to define 3 rd party key vendors. Budget of the vendor for the current year: > xxxxx Operational risk of the services delivered by the vendor based on the Kraljic score: > 2,5 The service of the vendor supports one of the key-processes of Robeco, such as: Front Office: Investment portfolio management, trading, securities lending Back office : Operations and accounting Retail: Operations, Sales en Marketing Corporate Departments: Risk management, Group Finance and HR IT: core infrastructure, Development BPO: Pension Providers, Private Equity Robeco 12

13 Lessons Learned from Cloud projects Execute a thorough risk analyses; Ensure involvement and commitment from Compliance, Risk Management, Legal and Audit during the risk analysis, contract negotiation and continue during implementation; Ensure commitment from Senior Management. In our case we have involved the In Control Board and the Management Board in our decision making process; Involve DNB early in the process; Multi Vendor Agile working requires extensive coordination; Highly frequent program board meetings to discuss issues and risks. Realize Regie for a (Cloud Provider) is not an IT-party. Take care for a management organization in house with knowledge. Ensure there are good governance arrangements. Robeco 13

14 Cloud: Risk or Opportunity Standard (Service, SLA, Contract) Liability Regulators (Right to Examine) (Wft / BPr) Integration Cost Attractive and efficient Stay up to date (Follow the roadmap) Patriot Act Vendor Lock in Vendor Security Policy Data Privacy Data Location In Control Customization & Configuration Stability & Continuity 14

15 WE DO!!!! Robeco 15