Recent high profile IT failures have focused regulatory and supervisory attention on the risks that technology change can pose to the operational resilience of the financial services sector. The volume, velocity and complexity of change are presenting a significant challenge to many financial institutions, and it is during change programmes that disruptions sometimes crystallise.
To supervisors, operational resilience is about reducing the risk of major disruptions occurring, but also (and perhaps even more so) an effective and timely recovery from a disruption. Driven by the increasing role that technology plays in providing modern financial services, supervisors in the UK and the EU have made it clear that they are pivoting their focus to ensure that firms are doing enough to make themselves more operationally resilient.
Firms should use this supervisory shift as an opportunity to develop a strategic view of technology change management. This will not only help them meet emerging supervisory expectations, but also could support the development of a leaner, nimbler and more cost-effective organisation.
This blog explores how recent supervisory developments relate to a strategic view of IT systems management and what firms can do to decrease the likelihood of, and better their response to, disruptions in change projects.
Recent regulatory trends
In the past 12 months, legislators, regulators and supervisors have all highlighted their concerns around the way that some financial services firms are managing change to their information and communications technology (ICT) systems.
- The UK Parliament’s Treasury Committee launched an inquiry into IT failures in the financial services sector. Its goal is to understand the root causes of IT failures, and whether there are industry trends that could exacerbate risks in the future.
- The UK Financial Conduct Authority (FCA) has pointed to an inconsistency between firms’ generally positive self-evaluation of their change management preparedness, and the reality that change management was the leading root cause of IT disruptions reported to them between October 2017 and September 2018. The FCA is now planning further work to assess firms’ current approaches, the conclusions of which it will publish in a report, along with any additional actions.
- The Bank of England, FCA and Prudential Regulation Authority (PRA) are jointly developing an operational resilience framework and have said that changes to legacy systems need to be managed carefully, as they present a heightened risk of operational disruption. The PRA and FCA further point out that failure to address obsolescent technology can weaken operational resilience.
- The European Banking Authority (EBA) has published draft guidelines on ICT and security risk management, which could be applicable from as early as 2020. In their current form, the guidelines would require firms to manage changes to their IT systems carefully, and have robust procedures in place in the event of disruptions. This echoes the UK’s 2018 Discussion Paper on the operational resilience framework.
Firms need to be able to innovate, keep the complexity of their systems manageable, and update old ones. They must do this all while minimising the likelihood of failures, and minimising the disruption arising from those that do nevertheless happen. The regulatory developments set out above point to where building this resilience, including in change management, must start.
A strategic view of change management
There are clear links between good practice in IT systems management, operational resilience in technology change, and much of what regulators have recently highlighted.
The following five principles can form the basis for a strategic view of technology change management for financial services firms:
- Early action: firms need to take a proactive stance towards IT change management. There may be short-term incentives to delay large IT programmes, but a firm that deals with its IT debt sooner rather than later can reap dividends. Complexity increases with time, and more complex systems are harder to operate and to rationalise, something the PRA and FCA have said can contribute to weaker operational resilience.
- Investment-led: a strategic IT change management programme is, by definition, a large one. It must be supported by a commensurate budget, bring in key stakeholders from around the business, and be given an appropriate amount of time and resources. Boards need to be involved, given its strategic importance, and supervisors will want to see evidence of strong governance and senior management oversight.
- Capability and ‘muscle memory’: the pace of IT change is unlikely to slow as technological innovation continues. Rather than seeing each change as an individual event, firms should optimise capabilities to learn from previous changes, reduce planning and preparation windows, and minimise the risk of error through robust but flexible execution plans. These plans should be used in large, but also smaller and more regular change programmes, as the FCA and PRA have highlighted some disruptions have recently materialised in the latter.
- Unhappy-path planning: many IT change programmes can be characterised by happy path planning and optimism bias. Consideration from the outset of what might go wrong and planning for avoidance, mitigation and recovery should the worst happen are critical. The PRA and FCA have pointed towards including flexibility in timescales, in order to accommodate issues identified during independent testing, for example.
- Ongoing leading practice: firms need to link IT change programmes with good ongoing practices between projects. Having good procedures in place that map out and update the IT assets that underpin various business activities is a critical first step. This can reduce the risk of disruption when change programmes are launched. It will also help firms elevate the right stakeholders onto project teams and for those teams to understand a project’s risks better. The EBA has emphasised this as a key expectation.
Change management: the value proposition
By taking a strategic view along the lines set out above, firms can put themselves on the front foot rather than be prisoners of their IT systems, just as regulators are sending clear signals that they expect firms to manage them better, on an ongoing basis and in IT change programs.
Taking a strategic view of IT change may be desirable, but it can often come at a high cost to firms in the short run. Nevertheless, there is a value proposition that technology leaders in firms can make to convince relevant stakeholders of the importance of doing things right. This value proposition is not entirely new, of course, but, in our view, it is being significantly enhanced in the financial services sector by the growing level of supervisory scrutiny and intervention in the area of operational resilience.
Executives can build the value proposition on at least the following five points:
- Resilience and reputational defence: taking a cue from the EBA on mapping systems based on their criticality, and the UK supervisory focus on processes underpinning business services, firms that invest in robust systems mapping can reap benefits beyond meeting the supervisory challenge. Not only will it enable them to identify where failures will be most critical (and thus apply preventative measures more effectively), but it will also enable executives to gain quickly a comprehensive understanding of a disruption and react more promptly in a crisis. Recent incidents show that mishandling operational disruptions can lead to departures from senior management teams and that an ability to present accurate and timely information to all stakeholders (including internal ones, such as technology teams communicating to front-line staff) can be crucial to avoid losing customers or facing potentially very large redress costs.
- More cyber-secure systems: complex systems are often unpredictable and difficult to understand. This can create openings for malicious cyber adversaries to exploit. These ‘unknown unknowns’ - systems or interdependencies that are not fully understood - can significantly increase the chances of a cyber-attack succeeding or not being identified in a timely manner. A more robust mapping of systems can help reduce a firm’s vulnerable attack surface and better protect it against attacks, and will give assurance to supervisors who increasingly want to verify that there are effective monitoring and detection processes in place.
- Business efficiency and long-term cost control: complexity may be costly to rationalise, but it is also costly to maintain. Systems inevitably grow, but firms that have taken the steps to understand and update their IT portfolio, and have in place clear processes to map their evolution, will deal with complicated but understandable systems rather than complex and obscure ones. They will likely spend fewer resources fixing recurring issues, and can focus on extracting value from their pool of IT assets.
- Greater systems flexibility and adaptability: enterprise change is often a trigger for IT change. Divestments, mergers and acquisitions all involve systems integrations, and are often ostensibly done to improve efficiency or gain a competitive advantage. IT complexity, however, can add a lot of friction to this process and reduce the likelihood of the broader M&A strategy reaching its full ambition. Firms that have a clearer understanding of their IT systems will more easily embark on, and reap larger benefits from, business change. They will also attract less challenge and scrutiny from their supervisors, who will want to make sure that firms integrate IT systems in a prudent manner.
- Aligned with the regulatory direction of travel: regulators across jurisdictions are converging around a view that firms need to have a better understanding of what systems and processes support their business activities. They are increasingly concerned that systems interconnectivity in the financial sector means that an isolated IT disruption could potentially create market contagion. It is therefore unlikely that recent regulatory signals that firms should take a much firmer grip of their IT systems and associated change programs will die down. Firms therefore, will be asked to show that their systems are correctly mapped and understood, that the relevant stakeholders are involved from the start when changes are planned. Doing so will help firms further show that measures have been put in place both to reduce the chances of a significant disruption and to mitigate one should it arise.
We believe the value proposition of doing IT change well was always strong. Now it is even stronger. As legislators, regulators and supervisors respond to recent high profile events where IT change has gone wrong, their approach to evaluating the operational resilience of firms will become an important challenge for those whose IT systems appear to be fragile in the face of change.
Many of the UK and EU regulatory approaches are still in the discussion or consultation phase, and will soon crystallise into hard requirements. The supervisory focus on firms can only increase. Firms now have an opportunity to read these early signals and elevate the case for greater investment in technology change management and operational resilience with senior executives and boards.