![penguin-waking-bear]()
Ignoring the wake up call
The major RBS computer failure in 2012 should have been a wake-up call to senior bank executives. For many years the competing pressures on IT budgets had led to insufficient investment in IT resilience, steadily building up the risk of failure. When the RBS system failed, many other banks must have thought “there but for the grace of god …” In case anyone failed to read the writing on the wall, the PRA and FCA sent a formal letter to Chief Executives demanding personal accountability for IT failures, an explanation of their approach to resilience of critical systems and processes, and disaster recovery plans.
Two years have passed and it seems that things have not materially improved. RBS suffered another failure on “Cyber Monday” of 2013, and the failure of the CHAPS system showed that it is not only the high street banks that are affected – the Bank of England can hardly claim competitive pressures to cut costs as a reason for lack of investment in IT.
Calling in the regulators
Since the banks have failed to fix their own problems, the regulators are now moving to force them to do so. Reinforcing the “Dear Chairman” letter, the FCA and PRA have shown their teeth by fining RBS a total of £56 million for the 2012 breach (this on top of the costs of remediating the problem, and compensating customers who were impacted by the problems). If this is still not sufficient to persuade the banks, the regulator has powers to instruct them to overhaul their investment plans in order to ensure the continuity of critical services.
Of course, simply throwing money at the problem does not guarantee it will be solved. Many banks are still running systems that date back to the 1980s, and have been updated, tweaked and patched ever since. There is a limit to how resilient such systems can ever be made, even if they are well understood and documented – which is rarely the case.
Out with the old…
The other solution is to replace the creaky old systems with a more modern platform. In principle this is a far better approach, delivering not only the resilience that the bank needs, but also the flexible platform needed to address the challenges of the future. The reality is that many banks have tried transformation programmes that have consumed money, resources and time but have been abandoned. This leaves the situation as bad or even worse than before, with additional IT systems partly deployed but no legacy systems decommissioned.
The banks face a paradox: all changes create risks, and major changes create major risks. It seems they are stuck between a rock and a hard place.
Real actions for real problems
The reason I joined Icon is because I believe their practical and experience-based approach can help resolve that paradox. Icon’s mission is to “Fight Complexity” and this translates into some very concrete actions:
- Simplify design – simpler systems are inherently more resilient because they have less “moving parts”. They are also easier to operate and maintain, and if anything does go wrong they are easier to diagnose and recover. They are also easier to secure against cyber-threats.
- Automate relentlessly – it is beyond ironic that so many IT functions are still executed manually. The areas of testing and operations are often hold-outs against automation. Automated testing should be an absolute prerequisite of any new development, and design, development and operations must work together to automate deployment, upgrades and recovery.
- Enforce technical governance – legacy systems were not designed badly, but they have accumulated layers of complexity over the years, often as a result of “tactical” changes made under time or budget pressure. An empowered and adequately funded architecture organization with genuine in-depth subject matter expertise can ensure that systems do not die the death of a thousand cuts. Every change should be seen as an opportunity to improve and simplify existing systems, and to explain the value of doing things properly to business colleagues. This is the foundation on which and effective governance structure is built.
- Build capabilities as well as systems – Icon provide top-flight payment and architecture skills, guiding the solution delivery alongside the customer’s own staff. Their experience of delivering large-scale payment systems not only reduces the risk of delivering change, but also ensures that the customer can become self-sufficient. Ensuring an adequate level of staff skill levels is a vital part of the first line of defence against risk.
Icon can work with financial institutions to assess and enhance their IT systems’ resilience before they become tomorrow’s headlines.