-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
1/12
FINANCIALSERVICES
THOUGHT LEADERSHIP POINT OF VIEW
Becoming Governance,
Risk and Compliance Ready,
Not Reactive
Trading
Lending
Banking
Societies
Insurance
Consulting
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
2/12
2
CONTENTS
Introduction Page 3
Mission-Critical Policy Issues Page 4
Business Case Page 8
Brocade Deployment Scenarios Page 9
Brocade Financial Services Solution Set Page 11
Next Steps Page 11
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
3/12
This trend is stimulating demand for more
financial service sector applications to deliver
real time risk assessments, reporting and
audit trails, particularly as the industry extends
the number of risk policies to be managed.
Simultaneously, regulators are demanding
more immediate data so the financial
institutions reputation is continuously at
stake. It is no longer possible for the data
centre to simply react.
Then of course the institution must deal
with the business-as-usual data driven
requirements for lower operating cost,
improving customer relationship, increasing
online trading, 24x7 continuity and preparing
for yet more mergers or acquisitions due to
market, competitive or regulatory changes.
Significant Pressure On The Data Centre
In the past there has been distance
between the data centre and the business
demand for improvements to managing
GRC, but no more.
Today, the business owners of GRC policy
are much closer, and dependent upon,
the data centre to deliver data on demand.
With the growth in, for example,
high frequency trading systems which now
have to be real time audited, closer
integration between regulatory policy and
execution becomes a mission-critical
challenge for the data centre to resolve.
Brocade GRC-Ready Data Centre
Architecture
Brocade has anticipated this challenge
using Brocade Virtual Cluster Switching
(VCSTM) technology as the adaptivefoundation for a financial services data
centre infrastructure becoming GRC-Ready
rather than GRC-Reactive.
The capacity and response level is planned
by Brocade experts in line with the customer
forecast, and consequently the significant
costs and risks of being GRC-Reactive are
eliminated.
This Brocade Thought Leadership paper
is designed to present an experiencedfinancial services perspective in applying
adaptive data centre infrastructure
technology to deal with the new GRC and
operational challenges being faced by policy
owners in financial services including:
External Auditor
General Counsel
Chief Risk Officer
Compliance Officer
Head of Internal Audit
Chief Operating Officer
Chief Information Officer
Network Management Executive
INTRODUCTION
The mission-critical, data-intensive
regulatory burden for financial services is
increasing dramatically, faster than growth
in the overall data universe.
By enabling financial services to proactively
cut the cost and risk of efficiently
responding to the regulatory flood,
Brocade makes a significant contribution
to regulatory risk management efficiency,
reputation and operating cost reduction.
Mission-Critical Data Growth
Estimates indicate that overall data volume
will grow to about five times the 2008 level
by 2013 and the proportion that isgovernance, risk or compliance (GRC)
sensitive will grow faster to take more than
30% of the overall 2013 data volume from
about 20% in 2008.
Financial services, however, expect that the
GRC data volume will be significantly greater
as a proportion of the whole, due to the
disproportionate national and international
demand for tighter regulation across the
industry, and the emergence of real time
audit trails required by regulators.
3
2008
Data
Volume
Growth
2009 2010 2011 2012 2013
Source: Consolidation Of Analyst Forecasts
Figure 1. Growth Of GRC Data Volume
Governance, Risk and
Compliance (GRC) Data
20% GRC Data
30% GRC Data
5 times growth
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
4/12
4
MISSION-CRITICAL POLICY ISSUES
Real Time Regulator Reporting
The European landscape is being re-organised
with new financial market regulators under the
central bank and treasury.
For example, the German Bundesbank
with the new Federal Financial Supervisory
Authority (BaFIN), or Bank of England with
the new Prudential Regulation Authority
(PRA) and Consumer Protection and
Markets Authority (CPMA) and at EU level
the new European Securities and Markets
Authority (ESMA).
Trading: Securities, derivatives, futures,
hedge fund, dealer, broker,currency.
Lending: Mortgage, building societies,
finance, credit unions.
Banking: Retail, wholesale, investment,
capital markets.
Societies: Mutual societies,
friendly societies
Insurance: Pensions, life, casualty, marine,
home, property, auto, Lloyds.
Consulting: Financial adviser, authorised
professional firm.
A lack of real time reporting
across markets has been
detrimental to surveillance
related to illegal activities.
Source: SEC 17CFR Part 242:
Consolidated Audit Trail
The Dodd Frank Act in the USA has
motivated the Securities and Exchange
Commission (SEC) to highlight the
increasingly close relationship between
efficient risk management and the
regulators requirements for vetting by
using real time electronic audit trails.
There is a similar trend with European
regulators which is further complicated from
a data centre perspective, by business
performance issues such the growth in
high frequency or automated trading globally
around the clock.
SEC 17CFR Part 242:
Consolidated Audit Trail
The US markets have reacted to this
SEC leadership initiative for direct,electronic real time access to
consolidated and more detailed order
and execution information across all
markets. These commentators from the
financial markets are highlighting the
data challenges
Recommend a single standard for real
time electronic trade and audit trail
reporting, which would be applicable to
all equity securities traded in the national
market regardless of where listed ortraded, and where data would be
captured in a central depository,
aggregated and made immediately
available to each relevant market centre.
Effective surveillances relating to insider
trading, market manipulation and stock
or options frontrunning in multiple markets
can be hindered because away-market
data such as order information, position
limit reports and large option position
reports are not available electronically on
a real time or near real time basis to the
self-regulating organisation.
The growth in these new regulator
assessment and reporting requirements
is fuelling demand for more sophisticated
business intelligence so that risk and
compliance policy owners are more able
to draw insight from applications and data
sources to support decision making and
deliver more robust data governance.
As the new regulatory environment is not yet
fully operational in many European countries,
a financial service data centre will have to
move into a GRC-ready mode that is flexible,
secure, available and scalable. GRC-reactive
is not an option.
BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
5/12
5
Brocade GRC-Ready means for network,
server platforms, virtualisation and storage,
that the rigid physical connections between
applications and data are being replaced
with more flexible Brocade virtualrelationships and shared resource pools.
Enhanced data mobility, protection, and
security are now essential to preserving data
governance, data integrity and fulfilling
regulatory requirements.
The successful and sustained management
of GRC policy risks will influence the financial
institutions share price, customer loyalty,
competitive advantage and cashflow, with
further potential to influence reputational risk
as was clearly demonstrated during the
recent financial crisis.
Similarly, today a regulators onsite
assessment will set the risk level for
a financial organisation and so determine
the frequency of future reviews which are
a major drain on management and resources.
Extended Regulatory Coverage
The regulatory net is widening with the
European Commission agreement on
the foundation for regulating hedge funds,
private equity and alternative investment
funds under the EU Alternative Investment
Fund Managers Directive (AIFM), which
will be implemented by member states
during 2013.
The new rules aim to increase transparency
among hedge funds, private equity and
alternative investment funds to assist
regulators in identifying and responding
to potentially systemic risk.
An estimate of the cost for the
new EU AIFM Directive suggests
between 1.3-1.9bn in regulated
firm compliance costs for thefirst year and up to 985m every
year thereafter, with IT
infrastructure costs a significant
component.
For financial firms covered by this new
EU ruling, this is an immediate opportunity
for the data centre to become GRC-Ready
rather than just react to this individual
demand, which would become progressively
more costly and make the future uncertain
from a risk and reporting perspective as new
requirements or further regulatory
enhancements are approved.
A key aspect of the Brocade VCS technology
is to enable financial organisations such as
hedge funds or private equity firms moving
into more widespread GRC policy execution,
to execute Information Lifecycle Management
in a GRC-Ready framework as the means
to continuously monitor, assess, report and
improve governance.
Integrated Risk Management
Best practice for GRC policy, supported
by auditors, is increasingly based upon
an integrated approach rather than a
fragmented or silo based model.Integrated risk policy framework originated
in the US market with COSO Enterprise
Risk Management (ERM) and is now being
applied by financial institutions in Europe
using the new international standard
framework provided by ISO 31000
Enterprise Risk Management System.
Best practice risk management
policy based upon standard
frameworks is subject tocontinuous improvement through
monitoring, assessment,
reporting and enhancement
which usually means more
capacity and responsiveness is
required by the data centre.
Today, internal audit reports may be quickly
outdated, insufficiently focused and too
reactive to guide immediate decision-making
in the faster changing global financial market.
Consequently data needs to be derived
directly and rapidly from the Storage Area
Network (SAN), through a highly virtualised
Ethernet, Fibre Channel or Fibre Channel
over Ethernet (FCoE) environment, converted
dynamically into Key Risk Indicator (KRI)
measurements showing policy decision
makers the potential impact and required
actions in an appropriately timely manner.
Figure 2. Integrated Risk Management Policy
Integrated Risk Policy Management
Infrastructure
Network
Content
Processes
Integrated Data Centre Solution
Source: IDL GRC Analyst
GRC Policy Lifecycle
Practice, Procedure and Reporting
IT Processes and Controls
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
6/12
6
Enhanced Basel III and EU MiFID2
Regulation
Regulatory enhancements drafted for
a capital adequacy increase in Basel III
and transparency for EU Markets inFinancial Instruments Directive 2 (MiFID2)
are examples of the new environment where
regulators build upon existing rules and
demand significant additions to risk
management and compliance policy.
This immediately adds to the mission-critical
data burden for the data centre by requiring
new information streams for monitoring,
analysis, reporting and archiving.
Basel III Enhancements A leverage ratio
Quantitative liquidity ratios
Limits for counter-party and credit risks
More precise definitions of common
equity limits
Framework for counter cyclical
capital buffers
EU MiFID2 Enhancements
Changes to retail investment advice
Transparency requirements extended
New rules for over-the-counter derivatives
Managing conflicts of interest and
transparency
Increased transaction reporting
requirements
New European Commission powers to
ban products or impose position limits
The regulators recognise that the data
centre will play a significant role, showing
how dependent risk policy has become
upon immediate electronic data availability.
For example, part of the EU MiFID2
enhancement includes the requirement for
electronic trading systems to introduce
a new concept of organised trading facility
and regulation of crossing systems.
Similarly Basel III capital adequacy rules are
stress tested on the raised limits, for
example, on a Tier #1 capital threshold at
7%, which requires the data centre to
provide information that will allow continuous
monitoring of changing conditions or execute
what-if scenarios in addition to managing
day-to-day operations.
In addition to data availability for risk
management, Basel III and EU MiFID2 have
storage requirements for risk legacy data
for up to five years, so integrating the
Brocade SAN with Brocade VCS technology
supports the mandatory archive demand.
BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
7/12
7
New OECD Anti-Corruption Policy
The OECD Anti-Bribery Convention is
being translated into European national law
during 2011 and financial corporations are
implementing new anti-corruption policypractices and procedures which need to
be supported by data centre processes
and controls.
This is particularly sensitive for financial
corporations that are acquisitive as past
experience indicates that evidence of
corruption is not identified until after the
takeover incurring cost and loss of reputation.
Anti-corruption policyimplementation is said to be
the largest single work item for
financial corporate General
Counsel and legal departments
in 2011.
The challenge is to establish an anti-corruption
policy and robust monitoring system which will
draw more detailed data from financial
corporate processes that have not previously
had this degree of attention starting withnew bribery risk indicators in conjunction with
a monitoring and reporting system. This is
further evidence of the dramatic growth in
GRC-related data being generated in support
of the new policy wave.
Climate Change and Energy Management
Financial service data centres are a major
consumer of power and emitter of CO2.
Measurements have shown that the
combination of servers, storage andventilation systems can consume as much
as 30% of the total power requirement for
the financial institution (see Figure 3).
There are EU regulatory drivers in Climate
Change laws applied particularly to data
centres, and it makes sense that as part of
becoming GRC-ready, the data centre
substantially reduces the energy bill.
Brocade VCS technology provides benefits that
reduce both regulatory risk and energy cost.
EU Solvency II Progresses
EU regulators are now requiring insurers
to demonstrate ahead of the 2012 deadline
that the EU Solvency II Directive for
enhanced risk management and capitaladequacy is being implemented using the
Internal Model Approval Process (IMAP)
outcomes.
However, for most insurers this has been
a difficult process as the broader aspects of
risk management under Solvency II were not
formalised as policies or the integration of
policy with data centre information access
has been complex revealing underlying
issues with data quality or availability.
The experience for insurers is similar to that
of hedge funds and private equity firms with
the EU AIFM regulation which has
demanded a significant step forward for risk
policy with immediate access to the relevant
control and reporting data.
As with Basel III, there is stress testing for
capital adequacy and, simultaneously,
the insurance industry is completing
productivity improvements using, for example,
Electronic Claim Files (ECF) as the means
to significantly improve efficiency and reduce
risk over paper-based systems.
Clearly, the combined impact of Solvency II
with claims process productivity will mean
a new strategy for the data centre to get
ahead rather than be reactive, which will be
costly and raise risk.
Power
Boards
Lighting 40%Total Energy Used
Heating and Ventilation
Power Supply
Servers
Storage
NetworkDIST
RIBUTION
Standby
Generator
Figure 3. Data Centre Power Consumption
Electricity
Supply
Source: IDL Analyst
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
8/12
8
A Brocade VCS technology GRC-Ready
environment has an integrated approach
that will deliver benefits in risk management
responsiveness and lower operating cost.
Integration and consolidation are key
elements within a GRC policy: it has been
suggested that data centres addressing
individual regulatory demands will spend
upto 10 times more on the IT solution than
those that take a more integrated approach.
Data Centre GRC Issue Fragmented Classic Ethernet Static-Process Brocade VCS Technology: An Integrated,
Data Centre Architecture Consolidated and Virtualised GRC-Ready Data Centre
Risk Management
Data Security Complex to manage and unreliable Data Centre Backbone continuous data protection
and data encryption
Data Governance Not feasible economically Tiered storage for information lifecycle management
and business policy alignment
Business Continuity High risk Fewer elements reduces continuity risk; virtualisation for
higher resiliency
Prioritised Response Rigid physical connections for server platforms Flexible virtual server and storage relationships with shared
and storage resource pools
Run Complex Algorithms Time consuming Prioritisation for Quality of Service delivery using
adaptive networking
Adaptive To New Demands Inflexible Virtual machine mobility to optimise resources
and respond to change
Operating Cost
Asset Leverage Restricted Maximised inter-operation between new and existing
data centre assets
Consolidation Not consolidated; replacing switches with large, Consolidated using blade server and storage virtualisation
multi-port, centralised directors plus optimised performance and availability of upper layer
business applications and related data.
Storage Capacity Proportional to server and storage footprint Disproportionate to footprint; virtualised server and storage
raises efficiency and capacity yet reduces footprint
Space Elimination Not feasible Fully optimised data centre space
Reduced Energy Cost Unavailable or restricted Fully enabled server, storage virtualisation reduces power
consumed by 50% or more
Source: IDL Analyst
BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE
BUSINESS CASE
Taking the combination of regulatory
demands in financial services together it
becomes clear that the data centre strategy
for maintaining a sustainable cost effectiveresponse needs review.
A core competence of Brocade VCS
technology is the efficient operation of
mission-critical, data-intensive business
processes where the business case is
based upon Brocade enabling data centre
management to become ready for new
GRC policy challenges, within a constantly
changing virtualised environment, by
being adaptive rather than simply reactive
to each demand.
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
9/12
9
BROCADE VCS TECHNOLOGY
DEPLOYMENT SCENARIOS FOR
FINANCIAL SERVICES
Brocade VCS Technology DeploymentScenario 1
1/10 Gbps Top-of-Rack Access ready
for VCS Technology
VCS technology can be deployed today in
the same way as ToR switches, providing
key advantages while preserving the existing
architecture. This deployment scenario
is ideal for customers who would like to
ease into utilising VCS technology.
The approach outlined in scenario 1
preserves existing architecture whileleveraging existing core/aggregation
infrastructure while having the ability to
co-exist with existing ToR switches.
The configuration supports 1 and 10 Gbps
server connectivity, provides active-active
network function by splitting the load across
connections through self healing that results
in no single point of failure.
This deployment scenario provides
high-density access with flexible subscription
ratios supporting up to 36 servers per rack
with 4:1 subscription.
Brocade VCS Technology Deployment
Scenario 2
10 Gbps Top-of-Rack Access For Blade
Servers Ready For VCS Technology
This deployment scenario is similar to Scenario
1 but for blade servers, where the blade
modules can be set switch or pass through.
This deployment within a blade server
environment provides low-cost, first stage
aggregation for high density blade servers
without stress on existing aggregation while
reducing cabling out of rack.
This blade server deployment scenario
provides high-density access with flexible
subscription ratios supporting up to 4 blade
servers per rack with 2:1 subscription.
Existing 1 Gbps
Access Switches
MLX with MCT
or other core
WAN
1 Gbps
Servers
1/10 Gbps
Servers
10 Gbps
Servers
Aggregation
Access
Servers
Core
Existing ToR
Switches
MLX with MCTor other core
WAN
Blade Servers
with 1 Gbps Switches
Blade Servers
with 10 Gbps Switches / Pass through Modules
Aggregation
Access
Servers
Core
LAG
VCS Technology
LAG
2-switch
VCS
Technology
at ToR
VCS Technology
Figure 4. Brocade VCS Technology Deployment 1
Figure 5. Brocade VCS Technology Deployment 2
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
10/12
10
Brocade VCS Technology Deployment
Scenario 3
1/10 Gbps Access: Collapsed Network
As the Ethernet fabrics scale, the networks canflatten, since fabrics are self-aggregating. In this
deployment scenario, VCS technology is used
in the Data Centre LAN and separate fibre
channel connections are made to the SAN.
The collapsed network approach provides
a flatter, logical, more simplified two-tier
network design with Ethernet fabrics at the
edge. This deployment will offer greater
layer 2 scalability/flexibility and an increased
sphere of virtual machine mobility leading
to seamless network expansion as therequirements grow.
In this optimised multi-path network,
Spanning Tree Protocol (STP) is not needed,
as all paths are active which results in an
architecture with no single point of failure.
Brocade VCS Technology Deployment
Scenario 4
1/10 Gbps Access; Collapsed Network
(Clos Fabric)
This final deployment scenario shows two
ways the fabric can be configured using a
Clos Fabric architecture. In this design,
there are switches used to create the fabric
that will not have edge ports, but the fabric
is still managed as one logical chassis,
flattening the network and resulting in a
simplified design and maximum
performance/availability.
By scaling out the VCS technology edge
fabric a flat, self aggregating network will
result that, through the Clos Fabric Topology,
allows for flexible subscription ratios.
Each VDXTM product managed as a single
logical chassis leads to a drastic reduction
in management whilst at the same time,
Data Centre Bridging (DCB) and equal cost
path capabilities for multi-hop Fibre Channel
Over Ethernet (FCoE) and enhanced Internet
Small Computer System Interface (iSCSI)
will enable a smoother path to network
convergence.
BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE
1/10 Gbps
Servers
Servers with 1 Gbps, 10 Gbps, and DCB Connectivity
48 Ports Availablefor FC SAN
Connectivity orVCS Technology
Expansion
6:1 Subscription
Ratio to Core
6 Links per Trunk
(24 total)
L3 ECMP
Up to
36 Servers
per Rack;
4 Racks per
VCS
Technology
1 GbE
10 GbE
10 GbE DCB
Logical Chassis
12 ports
48 portsper switch
10 Gbps
Servers
Fibre Channel
Connections to SAN
LAG
MLX with MCTor other core
MLX with MCT
or other core
10 Switch Fabric;
312 Usable Ports
VCS Technology
Edge Fabrics
Edge
Core
Servers
WAN
vLAG
SAN
12 ports
36 portsper switch
Figure 6. Brocade VCS Technology Deployment 3
Figure 7. Brocade VCS Technology Deployment 4
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
11/12
Consolidation
Policy-based Automation
Brocade VCS Technology
Connectivity
Application Services
Optimised Server Virtualisation
Storage Server
Figure 8. Brocade VCS Technology
Source: Brocade Optimised Data Centre
Consolidation with Server Virtualisation and
Brocade VCS Technology
11
BROCADE VCS TECHNOLOGY FOR
FINANCIAL SERVICES
The strategic goal of Brocade VCS
technology is a data-centric and application
aware infrastructure that helps ensure theentire matrix of data centre servers, network
fabric, and storage leverages advanced
technologies to optimise transactions and
safeguard application content including
critical GRC-data.
This Brocade VCS technology data centre
environment may be defined as GRC-Ready.
Advanced application
services on Brocade VCStechnology will help ensure that
applications and data receive
the highest level of resiliency,
security and data protection.
The previous generation classic Ethernet
data centre model of static IT processes
and slow incremental growth has been
displaced by a new GRC-Ready Brocade
VCS technology strategy that demands rapidresponse to changing needs and the ability
to quickly accommodate growth of new
applications and data.
To minimise disruption as part of GRC
policy and cost, the Brocade VCS technology
is designed to operate with existing storage
and network fabric assets, while providing
enhanced services where needed.
To simplify administration, these advanced
services can be automated via policy-based
rules aligned with upper-layer application
requirements. Through the Brocade OneTM
strategy, the rest of the Brocade portfoliointegrates with existing Brocade fabrics and
extends their value by providing:
Secure Computing
Unmatched Simplicity
Investment Protection
Non-Stop Networking
Application Optimisation
For server platforms and storage,
rigid physical connections between
applications and data are being replaced
with more flexible virtual relationships and
shared resource pools. Enhanced data
mobility, protection, and security are now
key to preserving data integrity and
fulfilling regulatory requirements.
By combining enhanced connectivity with
advanced storage and application-aware
services, the Brocade VCS technology
is centrally positioned to coordinate new
capabilities in both server and storage
platforms and thus to maximise data centre
productivity.
NEXT STEPS
Brocade Financial Services
Expert Briefing
Brocade subject matter expertise is
available as a free briefing directly,
or in conjunction with an approved
consulting and systems integration firm,
to enable risk, compliance, audit and IT
executives in financial services to align
business and governance policy objectives
to a more dynamic, secure and available
data centre.
-
7/30/2019 Becoming Governance, Risk and Compliance Ready, Not Reactive
12/12
2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM,
DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered
trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCX and
VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other
brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied,
concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the
right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This
informational document describes features that may not be currently available. Contact a Brocade sales office for
information on feature and product availability. Export of technical data contained in this document may require an
export license from the United States government.
Brocade Communications Systems Inc does not have the skills to create risk management and compliance policy and
therefore will not take any responsibility for making an organisation compliant or risk averse. This is the responsibility of
the organisations risk, compliance officers and board of directors working with expert advisers.
Corporate Headquarters
San Jose, CA USA
T: +1-408-333-8000
European Headquarters
Geneva, Switzerland
T: +41-22-799-56-40
Asia Pacific Headquarters
Singapore
T: +65-6538-4700
BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE