Posted: 6th November 2019

Being operationally resilient is really all about learning. The challenge for firms is in translating the guidance of regulators, government and industry experts into practical solutions. At the core of this will be effectively identifying, understanding and working through operational problems before impactful issues occur. Businesses will then need to make sure this learning sticks and is incorporated into the ‘business as usual’ going forward.

Sometimes, however, the industry needs a little push. And a little assistance.

“An unacceptable number of IT failures”

Last week, the Treasury Select Committee (TSC) released a report (one that was unanimously agreed upon, no less) on the recent spate of IT failures within the financial services sector.

The report certainly makes for uncomfortable reading for those within the industry, particularly banks and building societies who are being held responsible, whether rightly or wrongly, for the vast majority of IT issues impacting customers. It also adds to the complexity of regulatory change and terminology that firms need to contend with.

The TSC does have a pretty good base of evidence for its claims. Most of us have experienced serious IT outages of some kind, whether as leaders, employees or consumers.

The TSC does admit that “completely uninterrupted access to banking services is not achievable”. No system, especially none as complicated and wide-reaching as those in financial services, is completely fool-proof. However, the TSC is clear that prolonged and critical IT failures “should not be tolerated”, for they point to more fundamental problems.

We think that what is really called for now isn’t new complexity, but simplification of existing approaches and a renewed understanding of what the customer thinks, wants and needs. Here at Huntswood, considering the customer and getting it right is what we are all about.

I don’t want to oversimplify, however. There have been great steps forward in risk, compliance and operational rigour and discipline, but sometimes the intuitive logic of systems, processes and approaches can be lost. Businesses need to be doing more to:

  • Proactively identify risks before change is made
  • Ensure that the point at which customer impact is perceived as ‘intolerable’ is made a factor in planning
  • Better join up the respective parts of the organisation so that one function understands the demands and needs of another (and, oh yes, this includes IT, customer services, product governance, compliance and risk teams as well)

Expect regulators to come down harder

The Committee is calling on regulators to “make plain …. What their tolerance levels for failure are.” Firms need to be prepared for a more intensive and intrusive, regulatory regime. The effect of this could be seen in a number of ways:

  • Firms should already be expecting more scrutiny on systems outages and resilience issues over the coming years. ‘Operational resilience’ features heavily in cross-sector priorities for 2019 / 2020
  • The Senior Managers and Certification Regime (SM&CR) has been welcomed by the TSC for the heightened level of accountability it has brought to the field but notes that, so far, there have been no successful enforcement actions following IT failures
  • The SM&CR’s accountability rules don’t apply to certain “infrastructural” businesses such as payments systems. Disruption to payments systems can be catastrophic and disproportionately affect those in vulnerable circumstances. The TSC suggests that the regime should be rolled out to cover this sector
  • The Committee also suggests that financial services levies should be raised so that regulators can hire the experienced staff they need. The TSC would like to see the regulator given more ‘teeth’

Build resilience now

Steve Baker MP, the TSC’s lead on this inquiry says “For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut-off.”

Firms can’t rely on “hollow words” to smooth things over with regulators and customers. What they need to be doing is taking the right action at the appropriate time. In other words: there needs to be urgent investment made, alongside a joining up of the operational resilience, business continuity and customer contact functions within business across the sector.

Of course, it’s all well-and-good to tell businesses to invest, but it’s more important to recognise where the money could be best spent.

To provide one immediate target area, the TSC states that businesses are, from its perspective, failing to learn from their experiences, and don’t have the capabilities to effectively record data around IT and systems issues. This inhibits root cause analysis and increases the likelihood that issues will crop up again and again.

The Committee also makes a special point of mentioning the risks of using third parties to supply or manage business-critical infrastructure and data. Putting ‘all your eggs into the basket’ of the large software providers – even the likes of Google, Microsoft or Amazon – adds another layer of operational risk. Businesses need to be clever and careful about who they partner with and buy services from, spreading risk appropriately.

Further guidance on this can be taken from the FCA. Around the time of the TSC inquiry’s initial launch, the FCA published its Cyber and Technology Resilience survey results. Synthesising the information provided by nearly 300 financial institutions, the FCA identified a number of key areas that needed urgently addressing within firms’ operations:

  • Core skill gaps, particularly in technical knowledge, within senior management
  • Over-confidence in the firm’s own change management capability
  • Challenges in managing third-party vendors
  • The growing threat of cyber attacks

Our own regulatory healthchecks have, in the past, identified areas where firms do not have real trust in their third party partners. We have also found that some don’t have effective dialogue with their internal stakeholders, or perceive internal processes as lacking, but simply aren’t tackling the issue.

There's plenty that can still be done. In the end, it will be up to firms to set direction and priorities, though the Committee's report should provide a good roadmap.

Customer considerations in a time of crisis

Businesses cannot forget that their first priority in the case of any systems outage should be their customers.

Consider all the customer contact and ‘negative press’ that might result from having cash machine access cut for even a day. Think of the impact this could have on people’s lives and how this might lead to a surge in emotionally charged complaints. Meeting the FCA’s complaints handling timelines while managing the root cause at the same time could put incredible strain on your business.

The TSC calls for “Clear, timely and accurate communications [to] ensure that customers are aware of the incident and that they receive advice on remediation timelines and alternative access."

The Committee then makes the point that, "When customers complain, the time taken for some customers to hear an answer is shocking and unacceptable. Firms must resolve complaints and award any compensation quickly.”

Having done the thinking in advance, and having secured the back-up resource needed, will not only help you respond to the issue at hand but should lead to increased advocacy and a boosted net promoter score. Our research shows that the faster a business can resolve a complaint, as long as good customer outcomes are still delivered, the more chance they have of retaining the customer and even encouraging them to attract others through their advocacy.

A wake-up call for the entire industry

The TSC and regulators aren’t saying “don’t fail”. They’re asking businesses to consider what could go wrong and understand the impact upon the consumer before it happens. The expectation is that firms have a way of assessing consumer harm and calibrating their warning signals (also referred to as ‘impact triggers’) accordingly. This can help prevent ‘knee jerk’ reactions, better deliver on firm and customer expectations and, ultimately, drive better outcomes, even in times of stress.

Putting the customer at the heart of operations, ensuring a joined-up understanding of the potential problem, and making investments in learning and development, resource and infrastructure are key to rebuilding resilience and public trust. If we don’t take this on board, businesses risk regulatory repercussion and a further loss of consumer trust – the lifeblood of the industry.

Get in touch today to find out how we can help you build operational resilience within your business and respond to the regulator’s scrutiny positively.

Huntswood is the industry’s partner of choice for the assurance and the specialist resource you need to ensure continued operational success.

Paul dyer

Paul Dyer

Head of Regulatory Risk & Assurance