In the corporate world, governance refers to the way in which the organization is directed, administered, and controlled. It’s about ensuring the correct policies, processes, and procedures are in place to run a company – and then clearly communicating these policies to company members.
IT governance, one subset of overall corporate governance, provides a crucial supporting role by continually reviewing, enforcing, and improving governance processes and standards. Of course, IT has to adhere to its own governance requirements as well. Let’s take a look at some of the governance requirements financial services institutions (FSIs) in Singapore face when migrating IT operations into an outsourced or public cloud environment. These are the minimum governance operations that regulators will be expecting to find at an FSI in Singapore:
- Board and senior management accountability: CEO and executive board are engaged in governance at the top level
- Business and IT strategy alignment: Senior IT management is involved in how technology will support a company’s business goals and strategy
- Organization structure: Senior management must ensure that there is an appropriate IT governance structure in place with the right bodies to steer and manage the organization
- Policies: Written policies are required to document governance standards and procedures
- Processes and procedures: Procedures turn policies into actionable management processes that IT runs on a daily basis. Examples include a risk management framework and incident and vendor management
- Controls: Administrative, technical, and physical controls set by an organization’s policies and procedures
- Training and awareness: Ensuring staff is trained to operate and comply with controls, and are kept aware of potential threats
- Audit: A strong internal and external audit is required to check processes and procedures to ensure that the administration’s governance approach is robust and prepared for regulatory inspections
It is important to note that in the recently updated guidelines, the Monetary Authority of Singapore (MAS) described the use of the public cloud as a form of outsourcing, and as such, cloud vendors need to be closely managed and monitored. These requirements can be found in the MAS Guidelines on Outsourcing Risk Management.
With heavy regulations surrounding FSIs in Singapore, the industry’s adoption of public cloud has been understandably slow but not impossible. Compliance requirements are in place to guide innovation and adoption, not to stifle it. A comprehensive and clearly communicated governance framework can make complying to these regulations much more manageable. We’ll be diving into specific regulations in the APAC region, like Monetary Authority of Singapore and Technology Risk Management Guidelines in an upcoming blog post in this series.
You can also learn more about compliance regulations, guidelines, and other recommendations by downloading our whitepaper.