EYXY0B_lo

Recent high profile IT failures have focused regulatory and supervisory attention on the risks that technology change can pose to the operational resilience of the financial services sector. The volume, velocity and complexity of change are presenting a significant challenge to many financial institutions, and it is during change programmes that disruptions sometimes crystallise.

To supervisors, operational resilience is about reducing the risk of major disruptions occurring, but also (and perhaps even more so) an effective and timely recovery from a disruption. Driven by the increasing role that technology plays in providing modern financial services, supervisors in the UK and the EU have made it clear that they are pivoting their focus to ensure that firms are doing enough to make themselves more operationally resilient.   

Firms should use this supervisory shift as an opportunity to develop a strategic view of technology change management. This will not only help them meet emerging supervisory expectations, but also could support the development of a leaner, nimbler and more cost-effective organisation.

This blog explores how recent supervisory developments relate to a strategic view of IT systems management and what firms can do to decrease the likelihood of, and better their response to, disruptions in change projects.

Recent regulatory trends

In the past 12 months, legislators, regulators and supervisors have all highlighted their concerns around the way that some financial services firms are managing change to their information and communications technology (ICT) systems. 

  • The UK Parliament’s Treasury Committee launched an inquiry into IT failures in the financial services sector. Its goal is to understand the root causes of IT failures, and whether there are industry trends that could exacerbate risks in the future. 

  • The UK Financial Conduct Authority (FCA) has pointed to an inconsistency between firms’ generally positive self-evaluation of their change management preparedness, and the reality that change management was the leading root cause of IT disruptions reported to them between October 2017 and September 2018. The FCA is now planning further work to assess firms’ current approaches, the conclusions of which it will publish in a report, along with any additional actions.

  • The Bank of England, FCA and Prudential Regulation Authority (PRA) are jointly developing an operational resilience framework and have said that changes to legacy systems need to be managed carefully, as they present a heightened risk of operational disruption. The PRA and FCA further point out that failure to address obsolescent technology can weaken operational resilience. 

  • The European Banking Authority (EBA) has published draft guidelines on ICT and security risk management, which could be applicable from as early as 2020. In their current form, the guidelines would require firms to manage changes to their IT systems carefully, and have robust procedures in place in the event of disruptions. This echoes the UK’s 2018 Discussion Paper on the operational resilience framework. 

Firms need to be able to innovate, keep the complexity of their systems manageable, and update old ones. They must do this all while minimising the likelihood of failures, and minimising the disruption arising from those that do nevertheless happen. The regulatory developments set out above point to where building this resilience, including in change management, must start. 

A strategic view of change management 

There are clear links between good practice in IT systems management, operational resilience in technology change, and much of what regulators have recently highlighted.

The following five principles can form the basis for a strategic view of technology change management for financial services firms: 

  1. Early actionfirms need to take a proactive stance towards IT change management. There may be short-term incentives to delay large IT programmes, but a firm that deals with its IT debt sooner rather than later can reap dividends. Complexity increases with time, and more complex systems are harder to operate and to rationalise, something the PRA and FCA have said can contribute to weaker operational resilience. 

  2. Investment-led: a strategic IT change management programme is, by definition, a large one. It must be supported by a commensurate budget, bring in key stakeholders from around the business, and be given an appropriate amount of time and resources. Boards need to be involved, given its strategic importance, and supervisors will want to see evidence of strong governance and senior management oversight.

  3. Capability and ‘muscle memory’: the pace of IT change is unlikely to slow as technological innovation continues. Rather than seeing each change as an individual event, firms should optimise capabilities to learn from previous changes, reduce planning and preparation windows, and minimise the risk of error through robust but flexible execution plans. These plans should be used in large, but also smaller and more regular change programmes, as the FCA and PRA have highlighted some disruptions have recently materialised in the latter.

  4. Unhappy-path planning: many IT change programmes can be characterised by happy path planning and optimism bias. Consideration from the outset of what might go wrong and planning for avoidance, mitigation and recovery should the worst happen are critical. The PRA and FCA have pointed towards including flexibility in timescales, in order to accommodate issues identified during independent testing, for example.

  5. Ongoing leading practice: firms need to link IT change programmes with good ongoing practices between projects. Having good procedures in place that map out and update the IT assets that underpin various business activities is a critical first step. This can reduce the risk of disruption when change programmes are launched. It will also help firms elevate the right stakeholders onto project teams and for those teams to understand a project’s risks better. The EBA has emphasised this as a key expectation. 

Change management: the value proposition 

By taking a strategic view along the lines set out above, firms can put themselves on the front foot rather than be prisoners of their IT systems, just as regulators are sending clear signals that they expect firms to manage them better, on an ongoing basis and in IT change programs.

Taking a strategic view of IT change may be desirable, but it can often come at a high cost to firms in the short run. Nevertheless, there is a value proposition that technology leaders in firms can make to convince relevant stakeholders of the importance of doing things right. This value proposition is not entirely new, of course, but, in our view, it is being significantly enhanced in the financial services sector by the growing level of supervisory scrutiny and intervention in the area of operational resilience. 

Executives can build the value proposition on at least the following five points: 

  • Resilience and reputational defence: taking a cue from the EBA on mapping systems based on their criticality, and the UK supervisory focus on processes underpinning business services, firms that invest in robust systems mapping can reap benefits beyond meeting the supervisory challenge. Not only will it enable them to identify where failures will be most critical (and thus apply preventative measures more effectively), but it will also enable executives to gain quickly a comprehensive understanding of a disruption and react more promptly in a crisis. Recent incidents show that mishandling operational disruptions can lead to departures from senior management teams and that an ability to present accurate and timely information to all stakeholders (including internal ones, such as technology teams communicating to front-line staff) can be crucial to avoid losing customers or facing potentially very large redress costs. 

  • More cyber-secure systems: complex systems are often unpredictable and difficult to understand. This can create openings for malicious cyber adversaries to exploit. These ‘unknown unknowns’ - systems or interdependencies that are not fully understood - can significantly increase the chances of a cyber-attack succeeding or not being identified in a timely manner. A more robust mapping of systems can help reduce a firm’s vulnerable attack surface and better protect it against attacks, and will give assurance to supervisors who increasingly want to verify that there are effective monitoring and detection processes in place.

  • Business efficiency and long-term cost control: complexity may be costly to rationalise, but it is also costly to maintain. Systems inevitably grow, but firms that have taken the steps to understand and update their IT portfolio, and have in place clear processes to map their evolution, will deal with complicated but understandable systems rather than complex and obscure ones. They will likely spend fewer resources fixing recurring issues, and can focus on extracting value from their pool of IT assets. 

  • Greater systems flexibility and adaptability: enterprise change is often a trigger for IT change. Divestments, mergers and acquisitions all involve systems integrations, and are often ostensibly done to improve efficiency or gain a competitive advantage. IT complexity, however, can add a lot of friction to this process and reduce the likelihood of the broader M&A strategy reaching its full ambition. Firms that have a clearer understanding of their IT systems will more easily embark on, and reap larger benefits from, business change. They will also attract less challenge and scrutiny from their supervisors, who will want to make sure that firms integrate IT systems in a prudent manner. 

  • Aligned with the regulatory direction of travel: regulators across jurisdictions are converging around a view that firms need to have a better understanding of what systems and processes support their business activities. They are increasingly concerned that systems interconnectivity in the financial sector means that an isolated IT disruption could potentially create market contagion. It is therefore unlikely that recent regulatory signals that firms should take a much firmer grip of their IT systems and associated change programs will die down. Firms therefore, will be asked to show that their systems are correctly mapped and understood, that the relevant stakeholders are involved from the start when changes are planned. Doing so will help firms further show that measures have been put in place both to reduce the chances of a significant disruption and to mitigate one should it arise.

We believe the value proposition of doing IT change well was always strong. Now it is even stronger. As legislators, regulators and supervisors respond to recent high profile events where IT change has gone wrong, their approach to evaluating the operational resilience of firms will become an important challenge for those whose IT systems appear to be fragile in the face of change.

Many of the UK and EU regulatory approaches are still in the discussion or consultation phase, and will soon crystallise into hard requirements. The supervisory focus on firms can only increase. Firms now have an opportunity to read these early signals and elevate the case for greater investment in technology change management and operational resilience with senior executives and boards.

 

David

David Strachan – Partner, Head of EMEA Centre for Regulatory Strategy

David is Head of Deloitte’s EMEA Centre for Regulatory Strategy. He focuses on the impact of regulatory changes - both individual and in aggregate - on the strategies and business/ operating models of financial services firms. David joined Deloitte after 12 years at the FSA, where in his last role, Director of Financial Stability, he worked on the division of the FSA into the PRA and the FCA.

Email | LinkedIn

Rick

Rick Cudworth - Partner, Crisis and Resilience

Rick has over 25 years’ industry-leading experience in Crisis Management and Resilience. He has been interim Group Head of Resilience for two global banks has supported and facilitated executive leadership in responding to crisis events. He is a recognised industry leader in his field and Chair of the British Institution Technical Committee for Continuity and Resilience.

Email | LinkedIn

Niel

Neil  Bourke - Director, Crisis and Resilience

Neil is a Director in Deloitte’s Reputation, Crisis and Resilience team, part of the Firm’s wider Risk Advisory practice. He is an Organisational Resilience specialist with in-depth knowledge and experience across a wide range of risk, resilience and readiness activities. Neil has over nine years’ experience helping large global organisations develop approaches and supporting capabilities to reduce the likelihood and impact of disruption to critical business operations and supporting technology.

Email | LinkedIn

SCott MArtin

Scott Martin – Senior Manager, Centre for Regulatory Strategy

Scott is a Senior Manager in the Centre for Regulatory Strategy advising on international banking regulation, with a particular focus on bank capital, strategy, cyber risk and public policy-making processes. Scott is also the host of Deloitte's financial services podcast Regulated Radio. Before joining Deloitte in 2015, he worked in Brussels as an EU regulatory strategist advising a number of global banks and other financial institutions. He is a graduate of the London School of Economics and previously worked as a political advisor to Canada’s Minister of Finance and Minister of Foreign Affairs.

Email | LinkedIn

QM

Quentin  Mosseray – Senior Associate, Centre for Regulatory Strategy

Quentin is a Senior Associate in Deloitte’s Centre for Regulatory Strategy, advising on the strategic impact of regulation on firms’ business and operating models. His work focuses on insurance regulation, and cyber and operational resilience. Prior to joining the Centre, Quentin completed an LL.M in Law and Economics, and also holds a degree in International Relations.

Email | LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.