As adoption of cloud computing becomes more prevalent in the financial services industry, the topic of concentration risk has consistently been a source of interest and, candidly some confusion, in discussions with regulators and customers concerning outsourcing, including use of cloud services. Due to a lack of clarity on these issues, financial institutions may conclude that a risk averse posture dictates a multi-cloud strategy must be adopted. No regulatory guidance mandates a multi-cloud strategy. Rather, as with all forms of outsourcing, concentration risk is one of many risks that must be assessed, and customers must develop governance and have assurance plans in place to mitigate and manage such risks when using cloud services.
Risk and procurement officers at financial institutions need to respond to regulation and ensure their decisions are optimized against meaningful risk without holding their individual institution back from the opportunity these technologies offer. This paper provides information on steps to assess and mitigate against relevant classifications of risk and, at the same time, implement approaches without the need to adopt a multi-sourcing strategy, which has its own risks and drawbacks.