Becoming Governance, Risk and Compliance Ready, Not Reactive

7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive

1/12

FINANCIALSERVICES

THOUGHT LEADERSHIP POINT OF VIEW

Becoming Governance,

Risk and Compliance Ready,

Not Reactive

Trading

Lending

Banking

Societies

Insurance

Consulting


2/12

2

CONTENTS

Introduction Page 3

Mission-Critical Policy Issues Page 4

Business Case Page 8

Brocade Deployment Scenarios Page 9

Brocade Financial Services Solution Set Page 11

Next Steps Page 11


3/12

This trend is stimulating demand for more

financial service sector applications to deliver

real time risk assessments, reporting and

audit trails, particularly as the industry extends

the number of risk policies to be managed.

Simultaneously, regulators are demanding

more immediate data so the financial

institutions reputation is continuously at

stake. It is no longer possible for the data

centre to simply react.

Then of course the institution must deal

with the business-as-usual data driven

requirements for lower operating cost,

improving customer relationship, increasing

online trading, 24x7 continuity and preparing

for yet more mergers or acquisitions due to

market, competitive or regulatory changes.

Significant Pressure On The Data Centre

In the past there has been distance

between the data centre and the business

demand for improvements to managing

GRC, but no more.

Today, the business owners of GRC policy

are much closer, and dependent upon,

the data centre to deliver data on demand.

With the growth in, for example,

high frequency trading systems which now

have to be real time audited, closer

integration between regulatory policy and

execution becomes a mission-critical

challenge for the data centre to resolve.

Brocade GRC-Ready Data Centre

Architecture

Brocade has anticipated this challenge

using Brocade Virtual Cluster Switching

(VCSTM) technology as the adaptivefoundation for a financial services data

centre infrastructure becoming GRC-Ready

rather than GRC-Reactive.

The capacity and response level is planned

by Brocade experts in line with the customer

forecast, and consequently the significant

costs and risks of being GRC-Reactive are

eliminated.

This Brocade Thought Leadership paper

is designed to present an experiencedfinancial services perspective in applying

adaptive data centre infrastructure

technology to deal with the new GRC and

operational challenges being faced by policy

owners in financial services including:

External Auditor

General Counsel

Chief Risk Officer

Compliance Officer

Head of Internal Audit

Chief Operating Officer

Chief Information Officer

Network Management Executive

INTRODUCTION

The mission-critical, data-intensive

regulatory burden for financial services is

increasing dramatically, faster than growth

in the overall data universe.

By enabling financial services to proactively

cut the cost and risk of efficiently

responding to the regulatory flood,

Brocade makes a significant contribution

to regulatory risk management efficiency,

reputation and operating cost reduction.

Mission-Critical Data Growth

Estimates indicate that overall data volume

will grow to about five times the 2008 level

by 2013 and the proportion that isgovernance, risk or compliance (GRC)

sensitive will grow faster to take more than

30% of the overall 2013 data volume from

about 20% in 2008.

Financial services, however, expect that the

GRC data volume will be significantly greater

as a proportion of the whole, due to the

disproportionate national and international

demand for tighter regulation across the

industry, and the emergence of real time

audit trails required by regulators.

3

2008

Data

Volume

Growth

2009 2010 2011 2012 2013

Source: Consolidation Of Analyst Forecasts

Figure 1. Growth Of GRC Data Volume

Governance, Risk and

Compliance (GRC) Data

20% GRC Data

30% GRC Data

5 times growth


4/12

4

MISSION-CRITICAL POLICY ISSUES

Real Time Regulator Reporting

The European landscape is being re-organised

with new financial market regulators under the

central bank and treasury.

For example, the German Bundesbank

with the new Federal Financial Supervisory

Authority (BaFIN), or Bank of England with

the new Prudential Regulation Authority

(PRA) and Consumer Protection and

Markets Authority (CPMA) and at EU level

the new European Securities and Markets

Authority (ESMA).

Trading: Securities, derivatives, futures,

hedge fund, dealer, broker,currency.

Lending: Mortgage, building societies,

finance, credit unions.

Banking: Retail, wholesale, investment,

capital markets.

Societies: Mutual societies,

friendly societies

Insurance: Pensions, life, casualty, marine,

home, property, auto, Lloyds.

Consulting: Financial adviser, authorised

professional firm.

A lack of real time reporting

across markets has been

detrimental to surveillance

related to illegal activities.

Source: SEC 17CFR Part 242:

Consolidated Audit Trail

The Dodd Frank Act in the USA has

motivated the Securities and Exchange

Commission (SEC) to highlight the

increasingly close relationship between

efficient risk management and the

regulators requirements for vetting by

using real time electronic audit trails.

There is a similar trend with European

regulators which is further complicated from

a data centre perspective, by business

performance issues such the growth in

high frequency or automated trading globally

around the clock.

SEC 17CFR Part 242:

Consolidated Audit Trail

The US markets have reacted to this

SEC leadership initiative for direct,electronic real time access to

consolidated and more detailed order

and execution information across all

markets. These commentators from the

financial markets are highlighting the

data challenges

Recommend a single standard for real

time electronic trade and audit trail

reporting, which would be applicable to

all equity securities traded in the national

market regardless of where listed ortraded, and where data would be

captured in a central depository,

aggregated and made immediately

available to each relevant market centre.

Effective surveillances relating to insider

trading, market manipulation and stock

or options frontrunning in multiple markets

can be hindered because away-market

data such as order information, position

limit reports and large option position

reports are not available electronically on

a real time or near real time basis to the

self-regulating organisation.

The growth in these new regulator

assessment and reporting requirements

is fuelling demand for more sophisticated

business intelligence so that risk and

compliance policy owners are more able

to draw insight from applications and data

sources to support decision making and

deliver more robust data governance.

As the new regulatory environment is not yet

fully operational in many European countries,

a financial service data centre will have to

move into a GRC-ready mode that is flexible,

secure, available and scalable. GRC-reactive

is not an option.

BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE


5/12

5

Brocade GRC-Ready means for network,

server platforms, virtualisation and storage,

that the rigid physical connections between

applications and data are being replaced

with more flexible Brocade virtualrelationships and shared resource pools.

Enhanced data mobility, protection, and

security are now essential to preserving data

governance, data integrity and fulfilling

regulatory requirements.

The successful and sustained management

of GRC policy risks will influence the financial

institutions share price, customer loyalty,

competitive advantage and cashflow, with

further potential to influence reputational risk

as was clearly demonstrated during the

recent financial crisis.

Similarly, today a regulators onsite

assessment will set the risk level for

a financial organisation and so determine

the frequency of future reviews which are

a major drain on management and resources.

Extended Regulatory Coverage

The regulatory net is widening with the

European Commission agreement on

the foundation for regulating hedge funds,

private equity and alternative investment

funds under the EU Alternative Investment

Fund Managers Directive (AIFM), which

will be implemented by member states

during 2013.

The new rules aim to increase transparency

among hedge funds, private equity and

alternative investment funds to assist

regulators in identifying and responding

to potentially systemic risk.

An estimate of the cost for the

new EU AIFM Directive suggests

between 1.3-1.9bn in regulated

firm compliance costs for thefirst year and up to 985m every

year thereafter, with IT

infrastructure costs a significant

component.

For financial firms covered by this new

EU ruling, this is an immediate opportunity

for the data centre to become GRC-Ready

rather than just react to this individual

demand, which would become progressively

more costly and make the future uncertain

from a risk and reporting perspective as new

requirements or further regulatory

enhancements are approved.

A key aspect of the Brocade VCS technology

is to enable financial organisations such as

hedge funds or private equity firms moving

into more widespread GRC policy execution,

to execute Information Lifecycle Management

in a GRC-Ready framework as the means

to continuously monitor, assess, report and

improve governance.

Integrated Risk Management

Best practice for GRC policy, supported

by auditors, is increasingly based upon

an integrated approach rather than a

fragmented or silo based model.Integrated risk policy framework originated

in the US market with COSO Enterprise

Risk Management (ERM) and is now being

applied by financial institutions in Europe

using the new international standard

framework provided by ISO 31000

Enterprise Risk Management System.

Best practice risk management

policy based upon standard

frameworks is subject tocontinuous improvement through

monitoring, assessment,

reporting and enhancement

which usually means more

capacity and responsiveness is

required by the data centre.

Today, internal audit reports may be quickly

outdated, insufficiently focused and too

reactive to guide immediate decision-making

in the faster changing global financial market.

Consequently data needs to be derived

directly and rapidly from the Storage Area

Network (SAN), through a highly virtualised

Ethernet, Fibre Channel or Fibre Channel

over Ethernet (FCoE) environment, converted

dynamically into Key Risk Indicator (KRI)

measurements showing policy decision

makers the potential impact and required

actions in an appropriately timely manner.

Figure 2. Integrated Risk Management Policy

Integrated Risk Policy Management

Infrastructure

Network

Content

Processes

Integrated Data Centre Solution

Source: IDL GRC Analyst

GRC Policy Lifecycle

Practice, Procedure and Reporting

IT Processes and Controls


6/12

6

Enhanced Basel III and EU MiFID2

Regulation

Regulatory enhancements drafted for

a capital adequacy increase in Basel III

and transparency for EU Markets inFinancial Instruments Directive 2 (MiFID2)

are examples of the new environment where

regulators build upon existing rules and

demand significant additions to risk

management and compliance policy.

This immediately adds to the mission-critical

data burden for the data centre by requiring

new information streams for monitoring,

analysis, reporting and archiving.

Basel III Enhancements A leverage ratio

Quantitative liquidity ratios

Limits for counter-party and credit risks

More precise definitions of common

equity limits

Framework for counter cyclical

capital buffers

EU MiFID2 Enhancements

Changes to retail investment advice

Transparency requirements extended

New rules for over-the-counter derivatives

Managing conflicts of interest and

transparency

Increased transaction reporting

requirements

New European Commission powers to

ban products or impose position limits

The regulators recognise that the data

centre will play a significant role, showing

how dependent risk policy has become

upon immediate electronic data availability.

For example, part of the EU MiFID2

enhancement includes the requirement for

electronic trading systems to introduce

a new concept of organised trading facility

and regulation of crossing systems.

Similarly Basel III capital adequacy rules are

stress tested on the raised limits, for

example, on a Tier #1 capital threshold at

7%, which requires the data centre to

provide information that will allow continuous

monitoring of changing conditions or execute

what-if scenarios in addition to managing

day-to-day operations.

In addition to data availability for risk

management, Basel III and EU MiFID2 have

storage requirements for risk legacy data

for up to five years, so integrating the

Brocade SAN with Brocade VCS technology

supports the mandatory archive demand.



7/12

7

New OECD Anti-Corruption Policy

The OECD Anti-Bribery Convention is

being translated into European national law

during 2011 and financial corporations are

implementing new anti-corruption policypractices and procedures which need to

be supported by data centre processes

and controls.

This is particularly sensitive for financial

corporations that are acquisitive as past

experience indicates that evidence of

corruption is not identified until after the

takeover incurring cost and loss of reputation.

Anti-corruption policyimplementation is said to be

the largest single work item for

financial corporate General

Counsel and legal departments

in 2011.

The challenge is to establish an anti-corruption

policy and robust monitoring system which will

draw more detailed data from financial

corporate processes that have not previously

had this degree of attention starting withnew bribery risk indicators in conjunction with

a monitoring and reporting system. This is

further evidence of the dramatic growth in

GRC-related data being generated in support

of the new policy wave.

Climate Change and Energy Management

Financial service data centres are a major

consumer of power and emitter of CO2.

Measurements have shown that the

combination of servers, storage andventilation systems can consume as much

as 30% of the total power requirement for

the financial institution (see Figure 3).

There are EU regulatory drivers in Climate

Change laws applied particularly to data

centres, and it makes sense that as part of

becoming GRC-ready, the data centre

substantially reduces the energy bill.

Brocade VCS technology provides benefits that

reduce both regulatory risk and energy cost.

EU Solvency II Progresses

EU regulators are now requiring insurers

to demonstrate ahead of the 2012 deadline

that the EU Solvency II Directive for

enhanced risk management and capitaladequacy is being implemented using the

Internal Model Approval Process (IMAP)

outcomes.

However, for most insurers this has been

a difficult process as the broader aspects of

risk management under Solvency II were not

formalised as policies or the integration of

policy with data centre information access

has been complex revealing underlying

issues with data quality or availability.

The experience for insurers is similar to that

of hedge funds and private equity firms with

the EU AIFM regulation which has

demanded a significant step forward for risk

policy with immediate access to the relevant

control and reporting data.

As with Basel III, there is stress testing for

capital adequacy and, simultaneously,

the insurance industry is completing

productivity improvements using, for example,

Electronic Claim Files (ECF) as the means

to significantly improve efficiency and reduce

risk over paper-based systems.

Clearly, the combined impact of Solvency II

with claims process productivity will mean

a new strategy for the data centre to get

ahead rather than be reactive, which will be

costly and raise risk.

Power

Boards

Lighting 40%Total Energy Used

Heating and Ventilation

Power Supply

Servers

Storage

NetworkDIST

RIBUTION

Standby

Generator

Figure 3. Data Centre Power Consumption

Electricity

Supply

Source: IDL Analyst


8/12

8

A Brocade VCS technology GRC-Ready

environment has an integrated approach

that will deliver benefits in risk management

responsiveness and lower operating cost.

Integration and consolidation are key

elements within a GRC policy: it has been

suggested that data centres addressing

individual regulatory demands will spend

upto 10 times more on the IT solution than

those that take a more integrated approach.

Data Centre GRC Issue Fragmented Classic Ethernet Static-Process Brocade VCS Technology: An Integrated,

Data Centre Architecture Consolidated and Virtualised GRC-Ready Data Centre

Risk Management

Data Security Complex to manage and unreliable Data Centre Backbone continuous data protection

and data encryption

Data Governance Not feasible economically Tiered storage for information lifecycle management

and business policy alignment

Business Continuity High risk Fewer elements reduces continuity risk; virtualisation for

higher resiliency

Prioritised Response Rigid physical connections for server platforms Flexible virtual server and storage relationships with shared

and storage resource pools

Run Complex Algorithms Time consuming Prioritisation for Quality of Service delivery using

adaptive networking

Adaptive To New Demands Inflexible Virtual machine mobility to optimise resources

and respond to change

Operating Cost

Asset Leverage Restricted Maximised inter-operation between new and existing

data centre assets

Consolidation Not consolidated; replacing switches with large, Consolidated using blade server and storage virtualisation

multi-port, centralised directors plus optimised performance and availability of upper layer

business applications and related data.

Storage Capacity Proportional to server and storage footprint Disproportionate to footprint; virtualised server and storage

raises efficiency and capacity yet reduces footprint

Space Elimination Not feasible Fully optimised data centre space

Reduced Energy Cost Unavailable or restricted Fully enabled server, storage virtualisation reduces power

consumed by 50% or more

Source: IDL Analyst


BUSINESS CASE

Taking the combination of regulatory

demands in financial services together it

becomes clear that the data centre strategy

for maintaining a sustainable cost effectiveresponse needs review.

A core competence of Brocade VCS

technology is the efficient operation of

mission-critical, data-intensive business

processes where the business case is

based upon Brocade enabling data centre

management to become ready for new

GRC policy challenges, within a constantly

changing virtualised environment, by

being adaptive rather than simply reactive

to each demand.


9/12

9

BROCADE VCS TECHNOLOGY

DEPLOYMENT SCENARIOS FOR

FINANCIAL SERVICES

Brocade VCS Technology DeploymentScenario 1

1/10 Gbps Top-of-Rack Access ready

for VCS Technology

VCS technology can be deployed today in

the same way as ToR switches, providing

key advantages while preserving the existing

architecture. This deployment scenario

is ideal for customers who would like to

ease into utilising VCS technology.

The approach outlined in scenario 1

preserves existing architecture whileleveraging existing core/aggregation

infrastructure while having the ability to

co-exist with existing ToR switches.

The configuration supports 1 and 10 Gbps

server connectivity, provides active-active

network function by splitting the load across

connections through self healing that results

in no single point of failure.

This deployment scenario provides

high-density access with flexible subscription

ratios supporting up to 36 servers per rack

with 4:1 subscription.

Brocade VCS Technology Deployment

Scenario 2

10 Gbps Top-of-Rack Access For Blade

Servers Ready For VCS Technology

This deployment scenario is similar to Scenario

1 but for blade servers, where the blade

modules can be set switch or pass through.

This deployment within a blade server

environment provides low-cost, first stage

aggregation for high density blade servers

without stress on existing aggregation while

reducing cabling out of rack.

This blade server deployment scenario

provides high-density access with flexible

subscription ratios supporting up to 4 blade

servers per rack with 2:1 subscription.

Existing 1 Gbps

Access Switches

MLX with MCT

or other core

WAN

1 Gbps

Servers

1/10 Gbps

Servers

10 Gbps

Servers

Aggregation

Access

Servers

Core

Existing ToR

Switches

MLX with MCTor other core

WAN

Blade Servers

with 1 Gbps Switches

Blade Servers

with 10 Gbps Switches / Pass through Modules

Aggregation

Access

Servers

Core

LAG

VCS Technology

LAG

2-switch

VCS

Technology

at ToR

VCS Technology

Figure 4. Brocade VCS Technology Deployment 1



10/12

10


Scenario 3

1/10 Gbps Access: Collapsed Network

As the Ethernet fabrics scale, the networks canflatten, since fabrics are self-aggregating. In this

deployment scenario, VCS technology is used

in the Data Centre LAN and separate fibre

channel connections are made to the SAN.

The collapsed network approach provides

a flatter, logical, more simplified two-tier

network design with Ethernet fabrics at the

edge. This deployment will offer greater

layer 2 scalability/flexibility and an increased

sphere of virtual machine mobility leading

to seamless network expansion as therequirements grow.

In this optimised multi-path network,

Spanning Tree Protocol (STP) is not needed,

as all paths are active which results in an

architecture with no single point of failure.


Scenario 4

1/10 Gbps Access; Collapsed Network

(Clos Fabric)

This final deployment scenario shows two

ways the fabric can be configured using a

Clos Fabric architecture. In this design,

there are switches used to create the fabric

that will not have edge ports, but the fabric

is still managed as one logical chassis,

flattening the network and resulting in a

simplified design and maximum

performance/availability.

By scaling out the VCS technology edge

fabric a flat, self aggregating network will

result that, through the Clos Fabric Topology,

allows for flexible subscription ratios.

Each VDXTM product managed as a single

logical chassis leads to a drastic reduction

in management whilst at the same time,

Data Centre Bridging (DCB) and equal cost

path capabilities for multi-hop Fibre Channel

Over Ethernet (FCoE) and enhanced Internet

Small Computer System Interface (iSCSI)

will enable a smoother path to network

convergence.


1/10 Gbps

Servers

Servers with 1 Gbps, 10 Gbps, and DCB Connectivity

48 Ports Availablefor FC SAN

Connectivity orVCS Technology

Expansion

6:1 Subscription

Ratio to Core

6 Links per Trunk

(24 total)

L3 ECMP

Up to

36 Servers

per Rack;

4 Racks per

VCS

Technology

1 GbE

10 GbE

10 GbE DCB

Logical Chassis

12 ports

48 portsper switch

10 Gbps

Servers

Fibre Channel

Connections to SAN

LAG

MLX with MCTor other core

MLX with MCT

or other core

10 Switch Fabric;

312 Usable Ports

VCS Technology

Edge Fabrics

Edge

Core

Servers

WAN

vLAG

SAN

12 ports

36 portsper switch




11/12

Consolidation

Policy-based Automation

Brocade VCS Technology

Connectivity

Application Services

Optimised Server Virtualisation

Storage Server

Figure 8. Brocade VCS Technology

Source: Brocade Optimised Data Centre

Consolidation with Server Virtualisation and

Brocade VCS Technology

11

BROCADE VCS TECHNOLOGY FOR

FINANCIAL SERVICES

The strategic goal of Brocade VCS

technology is a data-centric and application

aware infrastructure that helps ensure theentire matrix of data centre servers, network

fabric, and storage leverages advanced

technologies to optimise transactions and

safeguard application content including

critical GRC-data.

This Brocade VCS technology data centre

environment may be defined as GRC-Ready.

Advanced application

services on Brocade VCStechnology will help ensure that

applications and data receive

the highest level of resiliency,

security and data protection.

The previous generation classic Ethernet

data centre model of static IT processes

and slow incremental growth has been

displaced by a new GRC-Ready Brocade

VCS technology strategy that demands rapidresponse to changing needs and the ability

to quickly accommodate growth of new

applications and data.

To minimise disruption as part of GRC

policy and cost, the Brocade VCS technology

is designed to operate with existing storage

and network fabric assets, while providing

enhanced services where needed.

To simplify administration, these advanced

services can be automated via policy-based

rules aligned with upper-layer application

requirements. Through the Brocade OneTM

strategy, the rest of the Brocade portfoliointegrates with existing Brocade fabrics and

extends their value by providing:

Secure Computing

Unmatched Simplicity

Investment Protection

Non-Stop Networking

Application Optimisation

For server platforms and storage,

rigid physical connections between

applications and data are being replaced

with more flexible virtual relationships and

shared resource pools. Enhanced data

mobility, protection, and security are now

key to preserving data integrity and

fulfilling regulatory requirements.

By combining enhanced connectivity with

advanced storage and application-aware

services, the Brocade VCS technology

is centrally positioned to coordinate new

capabilities in both server and storage

platforms and thus to maximise data centre

productivity.

NEXT STEPS

Brocade Financial Services

Expert Briefing

Brocade subject matter expertise is

available as a free briefing directly,

or in conjunction with an approved

consulting and systems integration firm,

to enable risk, compliance, audit and IT

executives in financial services to align

business and governance policy objectives

to a more dynamic, secure and available

data centre.


12/12

2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM,

DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered

trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCX and

VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other

brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied,

concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the

right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This

informational document describes features that may not be currently available. Contact a Brocade sales office for

information on feature and product availability. Export of technical data contained in this document may require an

export license from the United States government.

Brocade Communications Systems Inc does not have the skills to create risk management and compliance policy and

therefore will not take any responsibility for making an organisation compliant or risk averse. This is the responsibility of

the organisations risk, compliance officers and board of directors working with expert advisers.

Corporate Headquarters

San Jose, CA USA

T: +1-408-333-8000

[email protected]

European Headquarters

Geneva, Switzerland

T: +41-22-799-56-40

[email protected]

Asia Pacific Headquarters

Singapore

T: +65-6538-4700

[email protected]


Becoming Governance, Risk and Compliance Ready, Not Reactive

Documents

Transcript of Becoming Governance, Risk and Compliance Ready, Not Reactive