Financial Services Is Definitely Not Infallible to IT Failures
Following recent incidents such as TSB's systems failure and Visa's service outage, operational resilience is increasingly vital. Bank of England and FCA recently published a report stressing the importance of business continuity during a disaster. Below Finance Monthly hears from Peter Groucutt, Managing Director at Databarracks, who discusses what businesses need/can to do to strengthen their operational resilience during a disaster to absorb any shock a business may experience.
In July 2018, the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint discussion paper aimed at engaging with the financial services industry to improve the operational resilience of firms and financial market infrastructures (FMIs).
At the time it was issued, banks and FMI’s were capturing media attention, following several high-profile incidents.
TSB’s failed IT migration has been well publicised, costing the firm £176.4m in various fees and leading to the departure of its chief executive, Paul Pester. In June 2018, shortly before the release of this paper, millions of people and businesses were unable to pay for shopping due to a sudden failure of Visa’s card payment system.
Financial services lead in business continuity
The financial services industry is a leader in business continuity and operational resilience. It has a requirement of a high level of systems-uptime and is well-regulated. The best practices it introduces are often taken and more widely adopted by other industries. Our own research supports this. Our annual Data Health Check survey provides a snapshot of the IT industry from the perspective of over 400 IT decision-makers. The findings from this year’s survey provided some revealing insights.
64% of financial institutions had a business continuity plan in place, compared to an industry average of 53%. Of the financial sector firms with a specific IT disaster recovery process within their business continuity plan, 64% had tested this in the past 12 months – compared to 47% across other industries. Finally, 81% of financial firms had tested their IT disaster recovery plans against cyber threats, versus 68% of firms in other sectors.
While these findings reinforce the strength of the industry’s operational resilience, incidents like TSB and Visa prove it is not immune to failures.
The regulators want to “commence a dialogue that achieves a step-change in the operational resilience of firms and FMIs”. The report takes a mature view to the kind of incidents firms may face and accepts that some disruptions are inevitable. It provides useful advice that can be taken and applied not only to the financial services community, but other industries too.
Leveraging advice to improve operational resilience
So, what can be learned from this report? Firstly, setting board-approved impact tolerances is an excellent suggestion. This describes the amount of disruption a firm can tolerate and helps senior management prioritise their investment decisions in preparation for incidents. This is fundamental to all good continuity planning; particularly as new technologies emerge, and customer demand for instant access to information intensifies. These tolerances are essential for defining how a business builds its operational practices.
Additionally, focusing on business services rather than systems is another important recommendation. Designing your systems and processes on the assumption there will be disruptions – but ensuring you can continue to deliver business services is key.
It’s also pleasing to see the report highlight the increased concentration of risk due to a limited number of technology providers. This is particularly prevalent in the financial sector for payment systems, but again there are parallels with other industries and technologies. Cloud computing, for example, it’s reaching a state of oligopoly, with the market dominated by a small number of key players. For customers of those cloud services, it can lead to a heavy reliance on a single company. This poses a significant supplier risk.
Next steps
Looking ahead, the BoE, PRA and FCA have set a deadline of Friday 5th October for interested parties and stakeholders to share their observations. The supervisory authorities will use these responses to inform current supervisory activity, helping to dictate future policy-making. The supervisory authorities will then share relevant information with the Financial Policy Committee (FPC), supporting its efforts to build resilience in the financial system.
Firms looking to improve their operational resilience should take advantage of this excellent resource – whether in financial services or not.