THOUGHT LEADERSHIP POINT OF VIEW

FINANCIAL SERVICES

Becoming Governance, Risk and Compliance Ready, Not Reactive

Trading Lending Banking Societies Insurance Consulting

CONTENTS
Introduction Mission-Critical Policy Issues Business Case Brocade Deployment Scenarios Brocade Financial Services Solution Set Next Steps Page 3 Page 4 Page 8 Page 9 Page 11 Page 11

INTRODUCTION
The mission-critical, data-intensive regulatory burden for financial services is increasing dramatically, faster than growth in the overall data universe. By enabling financial services to proactively cut the cost and risk of efficiently responding to the regulatory flood, Brocade makes a significant contribution to regulatory risk management efficiency, reputation and operating cost reduction.

This trend is stimulating demand for more financial service sector applications to deliver real time risk assessments, reporting and audit trails, particularly as the industry extends the number of risk policies to be managed. Simultaneously, regulators are demanding more immediate data so the financial institutions reputation is continuously at stake. It is no longer possible for the data centre to simply react. Then of course the institution must deal with the business-as-usual data driven requirements for lower operating cost, improving customer relationship, increasing online trading, 24x7 continuity and preparing for yet more mergers or acquisitions due to market, competitive or regulatory changes.

Brocade GRC-Ready Data Centre Architecture

Brocade has anticipated this challenge using Brocade Virtual Cluster Switching (VCSTM) technology as the adaptive foundation for a financial services data centre infrastructure becoming GRC-Ready rather than GRC-Reactive. The capacity and response level is planned by Brocade experts in line with the customer forecast, and consequently the significant costs and risks of being GRC-Reactive are eliminated. This Brocade Thought Leadership paper is designed to present an experienced financial services perspective in applying adaptive data centre infrastructure technology to deal with the new GRC and operational challenges being faced by policy owners in financial services including:

Mission-Critical Data Growth

Estimates indicate that overall data volume will grow to about five times the 2008 level by 2013 and the proportion that is governance, risk or compliance (GRC) sensitive will grow faster to take more than 30% of the overall 2013 data volume from about 20% in 2008. Financial services, however, expect that the GRC data volume will be significantly greater as a proportion of the whole, due to the disproportionate national and international demand for tighter regulation across the industry, and the emergence of real time audit trails required by regulators.

Significant Pressure On The Data Centre

In the past there has been distance between the data centre and the business demand for improvements to managing GRC, but no more. Today, the business owners of GRC policy are much closer, and dependent upon, the data centre to deliver data on demand. With the growth in, for example, high frequency trading systems which now have to be real time audited, closer integration between regulatory policy and execution becomes a mission-critical challenge for the data centre to resolve.

External Auditor General Counsel Chief Risk Officer Compliance Officer Head of Internal Audit Chief Operating Officer Chief Information Officer Network Management Executive

Figure 1. Growth Of GRC Data Volume 5 times growth

30% GRC Data Data Volume Growth Governance, Risk and Compliance (GRC) Data

20% GRC Data 2008 2009 2010 2011 2012 2013

Source: Consolidation Of Analyst Forecasts

BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE

MISSION-CRITICAL POLICY ISSUES

Real Time Regulator Reporting
The European landscape is being re-organised with new financial market regulators under the central bank and treasury. For example, the German Bundesbank with the new Federal Financial Supervisory Authority (BaFIN), or Bank of England with the new Prudential Regulation Authority (PRA) and Consumer Protection and Markets Authority (CPMA) and at EU level the new European Securities and Markets Authority (ESMA). Trading: Securities, derivatives, futures, hedge fund, dealer, broker, currency. Lending: Mortgage, building societies, finance, credit unions. Banking: Retail, wholesale, investment, capital markets. Societies: Mutual societies, friendly societies Insurance: Pensions, life, casualty, marine, home, property, auto, Lloyds. Consulting: Financial adviser, authorised professional firm.

SEC 17CFR Part 242: Consolidated Audit Trail

The US markets have reacted to this SEC leadership initiative for direct, electronic real time access to consolidated and more detailed order and execution information across all markets. These commentators from the financial markets are highlighting the data challenges Recommend a single standard for real time electronic trade and audit trail reporting, which would be applicable to all equity securities traded in the national market regardless of where listed or traded, and where data would be captured in a central depository, aggregated and made immediately available to each relevant market centre. Effective surveillances relating to insider trading, market manipulation and stock or options frontrunning in multiple markets can be hindered because away-market data such as order information, position limit reports and large option position reports are not available electronically on a real time or near real time basis to the self-regulating organisation.

A lack of real time reporting across markets has been detrimental to surveillance related to illegal activities.
Source: SEC 17CFR Part 242: Consolidated Audit Trail

The Dodd Frank Act in the USA has motivated the Securities and Exchange Commission (SEC) to highlight the increasingly close relationship between efficient risk management and the regulators requirements for vetting by using real time electronic audit trails. There is a similar trend with European regulators which is further complicated from a data centre perspective, by business performance issues such the growth in high frequency or automated trading globally around the clock.

The growth in these new regulator assessment and reporting requirements is fuelling demand for more sophisticated business intelligence so that risk and compliance policy owners are more able to draw insight from applications and data sources to support decision making and deliver more robust data governance. As the new regulatory environment is not yet fully operational in many European countries, a financial service data centre will have to move into a GRC-ready mode that is flexible, secure, available and scalable. GRC-reactive is not an option.

Integrated Risk Management

Best practice for GRC policy, supported by auditors, is increasingly based upon an integrated approach rather than a fragmented or silo based model. Integrated risk policy framework originated in the US market with COSO Enterprise Risk Management (ERM) and is now being applied by financial institutions in Europe using the new international standard framework provided by ISO 31000 Enterprise Risk Management System.

Brocade GRC-Ready means for network, server platforms, virtualisation and storage, that the rigid physical connections between applications and data are being replaced with more flexible Brocade virtual relationships and shared resource pools. Enhanced data mobility, protection, and security are now essential to preserving data governance, data integrity and fulfilling regulatory requirements. The successful and sustained management of GRC policy risks will influence the financial institutions share price, customer loyalty, competitive advantage and cashflow, with further potential to influence reputational risk as was clearly demonstrated during the recent financial crisis. Similarly, today a regulators onsite assessment will set the risk level for a financial organisation and so determine the frequency of future reviews which are a major drain on management and resources.

An estimate of the cost for the new EU AIFM Directive suggests between 1.3-1.9bn in regulated firm compliance costs for the first year and up to 985m every year thereafter, with IT infrastructure costs a significant component.

Best practice risk management policy based upon standard frameworks is subject to continuous improvement through monitoring, assessment, reporting and enhancement which usually means more capacity and responsiveness is required by the data centre.

For financial firms covered by this new EU ruling, this is an immediate opportunity for the data centre to become GRC-Ready rather than just react to this individual demand, which would become progressively more costly and make the future uncertain from a risk and reporting perspective as new requirements or further regulatory enhancements are approved. A key aspect of the Brocade VCS technology is to enable financial organisations such as hedge funds or private equity firms moving into more widespread GRC policy execution, to execute Information Lifecycle Management in a GRC-Ready framework as the means to continuously monitor, assess, report and improve governance.

Extended Regulatory Coverage

Today, internal audit reports may be quickly outdated, insufficiently focused and too reactive to guide immediate decision-making in the faster changing global financial market. Consequently data needs to be derived directly and rapidly from the Storage Area Network (SAN), through a highly virtualised Ethernet, Fibre Channel or Fibre Channel over Ethernet (FCoE) environment, converted dynamically into Key Risk Indicator (KRI) measurements showing policy decision makers the potential impact and required actions in an appropriately timely manner. Figure 2. Integrated Risk Management Policy The regulatory net is widening with the European Commission agreement on the foundation for regulating hedge funds, private equity and alternative investment funds under the EU Alternative Investment Fund Managers Directive (AIFM), which will be implemented by member states during 2013. The new rules aim to increase transparency among hedge funds, private equity and alternative investment funds to assist regulators in identifying and responding to potentially systemic risk.

Integrated Risk Policy Management Content Processes Infrastructure Network Integrated Data Centre Solution GRC Policy Lifecycle Practice, Procedure and Reporting IT Processes and Controls

Source: IDL GRC Analyst

BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE

Enhanced Basel III and EU MiFID2 Regulation

Regulatory enhancements drafted for a capital adequacy increase in Basel III and transparency for EU Markets in Financial Instruments Directive 2 (MiFID2) are examples of the new environment where regulators build upon existing rules and demand significant additions to risk management and compliance policy. This immediately adds to the mission-critical data burden for the data centre by requiring new information streams for monitoring, analysis, reporting and archiving. Basel III Enhancements A leverage ratio Quantitative liquidity ratios Limits for counter-party and credit risks More precise definitions of common equity limits Framework for counter cyclical capital buffers EU MiFID2 Enhancements Changes to retail investment advice Transparency requirements extended New rules for over-the-counter derivatives Managing conflicts of interest and transparency Increased transaction reporting requirements New European Commission powers to ban products or impose position limits

The regulators recognise that the data centre will play a significant role, showing how dependent risk policy has become upon immediate electronic data availability. For example, part of the EU MiFID2 enhancement includes the requirement for electronic trading systems to introduce a new concept of organised trading facility and regulation of crossing systems. Similarly Basel III capital adequacy rules are stress tested on the raised limits, for example, on a Tier #1 capital threshold at 7%, which requires the data centre to provide information that will allow continuous monitoring of changing conditions or execute what-if scenarios in addition to managing day-to-day operations. In addition to data availability for risk management, Basel III and EU MiFID2 have storage requirements for risk legacy data for up to five years, so integrating the Brocade SAN with Brocade VCS technology supports the mandatory archive demand.

EU Solvency II Progresses
EU regulators are now requiring insurers to demonstrate ahead of the 2012 deadline that the EU Solvency II Directive for enhanced risk management and capital adequacy is being implemented using the Internal Model Approval Process (IMAP) outcomes. However, for most insurers this has been a difficult process as the broader aspects of risk management under Solvency II were not formalised as policies or the integration of policy with data centre information access has been complex revealing underlying issues with data quality or availability. The experience for insurers is similar to that of hedge funds and private equity firms with the EU AIFM regulation which has demanded a significant step forward for risk policy with immediate access to the relevant control and reporting data. As with Basel III, there is stress testing for capital adequacy and, simultaneously, the insurance industry is completing productivity improvements using, for example, Electronic Claim Files (ECF) as the means to significantly improve efficiency and reduce risk over paper-based systems. Clearly, the combined impact of Solvency II with claims process productivity will mean a new strategy for the data centre to get ahead rather than be reactive, which will be costly and raise risk.

New OECD Anti-Corruption Policy

The OECD Anti-Bribery Convention is being translated into European national law during 2011 and financial corporations are implementing new anti-corruption policy practices and procedures which need to be supported by data centre processes and controls. This is particularly sensitive for financial corporations that are acquisitive as past experience indicates that evidence of corruption is not identified until after the takeover incurring cost and loss of reputation.

Climate Change and Energy Management

Financial service data centres are a major consumer of power and emitter of CO 2. Measurements have shown that the combination of servers, storage and ventilation systems can consume as much as 30% of the total power requirement for the financial institution (see Figure 3). There are EU regulatory drivers in Climate Change laws applied particularly to data centres, and it makes sense that as part of becoming GRC-ready, the data centre substantially reduces the energy bill. Brocade VCS technology provides benefits that reduce both regulatory risk and energy cost.

Anti-corruption policy implementation is said to be the largest single work item for financial corporate General Counsel and legal departments in 2011.

The challenge is to establish an anti-corruption policy and robust monitoring system which will draw more detailed data from financial corporate processes that have not previously had this degree of attention starting with new bribery risk indicators in conjunction with a monitoring and reporting system. This is further evidence of the dramatic growth in GRC-related data being generated in support of the new policy wave. Figure 3. Data Centre Power Consumption

Standby Generator Lighting <5% Total Energy Used

Heating and Ventilation

30-40% Total Energy Used

Power Boards

Power Supply DISTRIBUTION

10-15% Total Energy Used

Servers Storage Network >40% Total Energy Used

Electricity Supply

Source: IDL Analyst

BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE

BUSINESS CASE
Taking the combination of regulatory demands in financial services together it becomes clear that the data centre strategy for maintaining a sustainable cost effective response needs review. A core competence of Brocade VCS technology is the efficient operation of mission-critical, data-intensive business processes where the business case is based upon Brocade enabling data centre management to become ready for new GRC policy challenges, within a constantly changing virtualised environment, by being adaptive rather than simply reactive to each demand.

A Brocade VCS technology GRC-Ready environment has an integrated approach that will deliver benefits in risk management responsiveness and lower operating cost. Integration and consolidation are key elements within a GRC policy: it has been suggested that data centres addressing individual regulatory demands will spend upto 10 times more on the IT solution than those that take a more integrated approach.

Data Centre GRC Issue

Fragmented Classic Ethernet Static-Process Data Centre Architecture

Brocade VCS Technology: An Integrated, Consolidated and Virtualised GRC-Ready Data Centre

Risk Management Data Security Complex to manage and unreliable Data Centre Backbone continuous data protection and data encryption Tiered storage for information lifecycle management and business policy alignment Fewer elements reduces continuity risk; virtualisation for higher resiliency Flexible virtual server and storage relationships with shared resource pools Prioritisation for Quality of Service delivery using adaptive networking Virtual machine mobility to optimise resources and respond to change

Data Governance

Not feasible economically

Business Continuity

High risk

Prioritised Response

Rigid physical connections for server platforms and storage Time consuming

Run Complex Algorithms

Adaptive To New Demands

Inflexible

Operating Cost Asset Leverage Restricted Maximised inter-operation between new and existing data centre assets Consolidated using blade server and storage virtualisation plus optimised performance and availability of upper layer business applications and related data. Disproportionate to footprint; virtualised server and storage raises efficiency and capacity yet reduces footprint Fully optimised data centre space Fully enabled server, storage virtualisation reduces power

Consolidation

Not consolidated; replacing switches with large, multi-port, centralised directors

Storage Capacity

Proportional to server and storage footprint

Space Elimination Reduced Energy Cost

Not feasible Unavailable or restricted consumed by 50% or more

Source: IDL Analyst

BROCADE VCS TECHNOLOGY DEPLOYMENT SCENARIOS FOR FINANCIAL SERVICES

Brocade VCS Technology Deployment Scenario 1 1/10 Gbps Top-of-Rack Access ready for VCS Technology
VCS technology can be deployed today in the same way as ToR switches, providing key advantages while preserving the existing architecture. This deployment scenario is ideal for customers who would like to ease into utilising VCS technology. The approach outlined in scenario 1 preserves existing architecture while leveraging existing core/aggregation infrastructure while having the ability to co-exist with existing ToR switches. The configuration supports 1 and 10 Gbps server connectivity, provides active-active network function by splitting the load across connections through self healing that results in no single point of failure. This deployment scenario provides high-density access with flexible subscription ratios supporting up to 36 servers per rack with 4:1 subscription.

Figure 4. Brocade VCS Technology Deployment 1

WAN

Aggregation

Core

MLX with MCT or other core

Existing 1 Gbps Access Switches

Access

LAG

VCS Technology

Servers

1 Gbps Servers

1/10 Gbps Servers

10 Gbps Servers

Brocade VCS Technology Deployment Scenario 2 10 Gbps Top-of-Rack Access For Blade Servers Ready For VCS Technology
This deployment scenario is similar to Scenario 1 but for blade servers, where the blade modules can be set switch or pass through. This deployment within a blade server environment provides low-cost, first stage aggregation for high density blade servers without stress on existing aggregation while reducing cabling out of rack. This blade server deployment scenario provides high-density access with flexible subscription ratios supporting up to 4 blade servers per rack with 2:1 subscription.

Figure 5. Brocade VCS Technology Deployment 2

WAN

Aggregation

Core

MLX with MCT or other core

Access

Existing ToR Switches

LAG

VCS Technology
2-switch VCS Technology at ToR

Servers

Blade Servers with 1 Gbps Switches

Blade Servers with 10 Gbps Switches / Pass through Modules

BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE

Brocade VCS Technology Deployment Scenario 3 1/10 Gbps Access: Collapsed Network
As the Ethernet fabrics scale, the networks can flatten, since fabrics are self-aggregating. In this deployment scenario, VCS technology is used in the Data Centre LAN and separate fibre channel connections are made to the SAN. The collapsed network approach provides a flatter, logical, more simplified two-tier network design with Ethernet fabrics at the edge. This deployment will offer greater layer 2 scalability/flexibility and an increased sphere of virtual machine mobility leading to seamless network expansion as the requirements grow. In this optimised multi-path network, Spanning Tree Protocol (STP) is not needed, as all paths are active which results in an architecture with no single point of failure.

Figure 6. Brocade VCS Technology Deployment 3

WAN
MLX with MCT or other core

Core

VCS Technology Edge Fabrics

LAG

Edge

SAN

Servers

Fibre Channel Connections to SAN

1/10 Gbps Servers

10 Gbps Servers

Brocade VCS Technology Deployment Scenario 4 1/10 Gbps Access; Collapsed Network (Clos Fabric)
This final deployment scenario shows two ways the fabric can be configured using a Clos Fabric architecture. In this design, there are switches used to create the fabric that will not have edge ports, but the fabric is still managed as one logical chassis, flattening the network and resulting in a simplified design and maximum performance/availability. By scaling out the VCS technology edge fabric a flat, self aggregating network will result that, through the Clos Fabric Topology, allows for flexible subscription ratios. Each VDXTM product managed as a single logical chassis leads to a drastic reduction in management whilst at the same time, Data Centre Bridging (DCB) and equal cost path capabilities for multi-hop Fibre Channel Over Ethernet (FCoE) and enhanced Internet Small Computer System Interface (iSCSI) will enable a smoother path to network convergence.

Figure 7. Brocade VCS Technology Deployment 4

1 GbE 10 GbE 10 GbE DCB Logical Chassis MLX with MCT or other core L3 ECMP

6 Links per Trunk (24 total)

10 Switch Fabric; 312 Usable Ports

48 Ports Available for FC SAN Connectivity or VCS Technology Expansion

12 ports 48 ports
per switch

6:1 Subscription Ratio to Core

vLAG
12 ports 36 ports
per switch

Up to 36 Servers per Rack; 4 Racks per VCS Technology

Servers with 1 Gbps, 10 Gbps, and DCB Connectivity

10

BROCADE VCS TECHNOLOGY FOR FINANCIAL SERVICES

The strategic goal of Brocade VCS technology is a data-centric and application aware infrastructure that helps ensure the entire matrix of data centre servers, network fabric, and storage leverages advanced technologies to optimise transactions and safeguard application content including critical GRC-data. This Brocade VCS technology data centre environment may be defined as GRC-Ready.

The previous generation classic Ethernet data centre model of static IT processes and slow incremental growth has been displaced by a new GRC-Ready Brocade VCS technology strategy that demands rapid response to changing needs and the ability to quickly accommodate growth of new applications and data. Figure 8. Brocade VCS Technology

To simplify administration, these advanced services can be automated via policy-based rules aligned with upper-layer application requirements. Through the Brocade One TM strategy, the rest of the Brocade portfolio integrates with existing Brocade fabrics and extends their value by providing:

Consolidation

Secure Computing Unmatched Simplicity Investment Protection Non-Stop Networking Application Optimisation
For server platforms and storage, rigid physical connections between applications and data are being replaced with more flexible virtual relationships and shared resource pools. Enhanced data mobility, protection, and security are now key to preserving data integrity and fulfilling regulatory requirements. By combining enhanced connectivity with advanced storage and application-aware services, the Brocade VCS technology is centrally positioned to coordinate new capabilities in both server and storage platforms and thus to maximise data centre productivity.

Advanced application services on Brocade VCS technology will help ensure that applications and data receive the highest level of resiliency, security and data protection.

Storage

Server

Brocade VCS Technology Connectivity Application Services Optimised Server Virtualisation

Policy-based Automation

Source: Brocade Optimised Data Centre Consolidation with Server Virtualisation and Brocade VCS Technology To minimise disruption as part of GRC policy and cost, the Brocade VCS technology is designed to operate with existing storage and network fabric assets, while providing enhanced services where needed.

NEXT STEPS
Brocade Financial Services Expert Briefing
Brocade subject matter expertise is available as a free briefing directly, or in conjunction with an approved consulting and systems integration firm, to enable risk, compliance, audit and IT executives in financial services to align business and governance policy objectives to a more dynamic, secure and available data centre.

11

BECOMING GOVERNANCE, RISK AND COMPLIANCE READY, NOT REACTIVE

Corporate Headquarters San Jose, CA USA T: +1-408-333-8000 info@brocade.com

European Headquarters Geneva, Switzerland T: +41-22-799-56-40 emea-info@brocade.com

Asia Pacific Headquarters Singapore T: +65-6538-4700 apac-info@brocade.com

2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCX and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. Brocade Communications Systems Inc does not have the skills to create risk management and compliance policy and therefore will not take any responsibility for making an organisation compliant or risk averse. This is the responsibility of the organisations risk, compliance officers and board of directors working with expert advisers.