APRA

A response to APRA’s cloud information paper

It’s a little like Groundhog Day here at PractiFI HQ as we lament, once again, the misguided nature of APRA’s approach to technology, as presented in yesterday’s snappily-titled information paper Outsourcing Involving Shared Computing Services (including Cloud).

The regulator seems to be stuck in a time-warp, where globalised, multi-tenant technologies are forever trapped as new entrants.

The regulator seems to be stuck in a time-warp, where globalised, multi-tenant technologies are forever trapped as new entrants.

The stated position — although “stated” is an overstatement, given the lack of anything approaching an instruction — is that anything that may be used by more than one entity, from more than one location, where the data is outside Australia, is really scary. And somehow everyone in the industry is unable to make an informed choice.

The implied advice? Take a Bex, have a good lie down and hope the trend passes.

Surely we deserve a more progressive contribution than that!

Despite needing to vent that frustrated rant, let me add that I concur with many of APRA’s points. Much of the paper’s content is simple, uncontroversial stuff. Understand what you want to do, assess the risks, make an informed decision and review regularly.

I couldn’t agree more. After all, those are the rudiments of prudent IT risk management.

Where it all breaks down, however, is with APRA’s assertion that IT risks are dramatically ramped up when using contemporary outsourced approaches. They just aren’t.

Where it all breaks down is with APRA’s assertion that IT risks are dramatically ramped up when using contemporary outsourced approaches. They just aren’t.

A simple example. Which of these seems riskier to you?

  1. Software coded and tested by hand by a team of developers in Sydney, implemented on a custom basis per client and hosted at a server farm in Ryde; or
  2. Software built by a global technology leader with active clients in every major market in the world, spanning numerous verticals, handling hundreds of millions of transactions per day.

Whether you look at technology resilience or recovery, as APRA describes them, option 2 wins every time.

Add in the huge brand risk of the global tech firm and the choice becomes clearer still. When you also consider the obligation of trustees to operate in the best interests of members (including costs), it becomes a silly comparison.

Let me be clear. The best enterprise cloud solutions are more resilient and lower cost, both of which are massively in the best interests of members.

The best enterprise cloud solutions are more resilient and lower cost, both of which are massively in the best interests of members.

Understanding risk is a critical component of decision making. But the inference that globalised, multi-tenant technology is inherently riskier than locally-built and hosted systems is nonsense. Australia’s wealth industry leads the world in many respects, but it’s not immune to progress. The challenge for APRA is to make sure they don’t create unnecessary barriers to it staying there.