Search

Search
 
 

Helping a global bank navigate cloud concentration risk

 

25+

cloud controls reviewed across five operational risk areas, helping the client build resilience across multiple cloud environments

 

5

cloud governance risk areas assessed, with insights provided to strengthen security and compliance

 
 

At a glance

 

Client

Global financial services firm

 

Industry

Banking

 

Our role

Review cloud concentration risks and controls

 

Our solution

Right-size audit planning for cloud risk

 
 
 

Bringing clarity to cloud concentration risks

 
folder icon

Scenario

A global bank wanted to understand its cloud concentration risks to reduce dependence on a single provider, better manage disruptions and increase resiliency.

gears icon

Approach

We reviewed key controls across various cloud operations and governance risk areas, providing insights on overall governance and third-party risk management.

graph icon

Result

The bank gained insights on critical cloud risks and practical takeaways to guide audit planning, strengthen governance and inform its cloud risk strategy.

 
 

Scenario

 
 

A financial services leader reassesses cloud risk

 

This leading global bank had a robust multi-cloud strategy, but due to recent events of wide-scale outages and their impact on customers, it wanted  to better understand and mitigate its evolving cloud concentration risks to its business-critical applications.

 

“While the bank already had strong foundational components of its risk and compliance functions, it needed a better understanding of which cloud concentration risks were most relevant and guidance on right-sizing its audit plan for improved cloud resiliency,” said Alex Hinkebein, Grant Thornton Internal Audit & SOX Senior Manager.

 

The bank’s cloud-reliant teams — including cloud foundational services, cloud platform enablement and image-as-a-service product teams —— needed guidance to assess their unique concentration risks and evaluate controls and governance processes within the bank’s broader cybersecurity and technology controls function.

 
 

Approach

 
 

Key risks and controls evaluated

 

Drawing on experience from other audit projects and deep knowledge of technology considerations shaping cloud strategies, Grant Thornton’s Risk Advisory team worked closely with the bank to address risks across audits related to cloud concentration.

 
Vishal Tandon

“When we first began working with the bank, our discussions initially focused on privileged access management but quickly expanded from there. By establishing regular monthly connects to share industry trends and insights — not just project updates — we built a trusted partnership that consistently surfaced new areas to address across the organization’s cloud risk and control needs.”

Vishal Tandon 

Director, Cyber & Privacy Services
Grant Thornton Advisors LLC

 

The Grant Thornton team tested and reviewed 25+ controls across five cloud operational risk areas in the bank’s existing cloud environments, including:

  • Cloud runtime, storage and serverless environments
  • Foundational services and security services
  • Image-as-a-service and capability analytics management
  • Cloud database services

The team also assessed multiple controls across five cloud governance risk areas, providing evaluation and validation of:

  • Alignment of cloud service-related guardrails with global technology standards
  • Enforcement of least-privilege principles to reduce the risk of unauthorized actions within the cloud environment
  • Proper boundary configurations and access controls
  • Compliance with firmwide security and governance policies

In addition, Grant Thornton highlighted current and pending regulations to help the bank anticipate compliance requirements and suggested targeted audits, including Data Security Posture Management and Cloud Security Posture Management. The team also offered to help design an internal audit approach focused on key cloud areas such as Identity and Access Management principles, program governance data, and data and application security — all through the lens of managing cloud concentration risk.

 

How we can help you

 

SERVICE

Risk Advisory -->

 

INDUSTRY

Banking -->

 
 

Ready to talk? We’re ready to listen.

Request a meeting -->
 
 

Result

 
 

Insights strengthen cloud risk audit planning

 

The bank now has clear visibility into its cloud concentration risks and has practical insights to guide audit planning related to cloud resiliency.

 

“Throughout our engagements, internal audit leaders gained strategic insight into their unique cloud risks so they could ultimately make informed decisions about their audit planning and cloud risk strategy,” Hinkebein said.

 

Through the team’s control testing and insights, the bank gained clarity on how to improve oversight of cloud controls and how to prioritize decisions around audit planning. The team also made recommendations for managing concentration risk, including the importance of monitoring service performance, diversifying cloud vendors and strengthening contract terms with select vendors.

 

“As the bank continues to address evolving opportunities and risks around quantum computing and AI integrations, technology and internal audit leaders have recognized that robust and resilient controls in the bank’s cloud environment have become even more critical,” Hinkebein added.

 

While the bank continues to develop its cloud concentration risk strategy, the engagement laid the groundwork for informed decision‑making and more consistent oversight across cloud environments, positioning the organization for stronger resilience as it evaluates its ongoing multi-cloud strategy.

 

Connect with our team

 
Headshot of Graham Tasman Headshot of Graham Tasman Headshot of Graham Tasman
Graham Tasman

Partner, Advisory Services
Head of Banking Industry

Grant Thornton Advisors LLC

Graham Tasman is the Head of the Banking industry and a Risk Principal based in the Philadelphia office.

Philadelphia, Pennsylvania

+1 215 376 6080

Industries

  • Asset Management
  • Banking

Service Experience

  • Advisory Services
  • Commercial and Growth
  • Risk Advisory
 
Headshot of Vikrant Rai Headshot of Vikrant Rai Headshot of Vikrant Rai
Vikrant Rai

Managing Director, Internal Audit & SOX
Grant Thornton Advisors LLC

+1 212 624 5212
 
Headshot of Vishal Tandon Headshot of Vishal Tandon Headshot of Vishal Tandon
Vishal Tandon

Director, Cyber & Privacy Services
Grant Thornton Advisors LLC

+1 312 602 8232
 
Headshot of Alex Hinkebein Headshot of Alex Hinkebein Headshot of Alex Hinkebein
Alex Hinkebein

Senior Manager, Internal Audit & SOX
Grant Thornton Advisors LLC

+1 303 813 3968
 

Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.

 

Ready to talk? We’re ready to listen.

 

Request a meeting and a member of our team will be in touch to see what we can do to meet your needs.

 

Want to submit an RFP? Please submit your request through our RFP submission page.

 
 
 

Trending topics

 

No Results Found. Please search again using different keywords and/or filters.

Follow us