TSB - a lesson to be learned for Operational Resilience
By Karen Latham
‘TSB fined £48.65m for operational resilience failings’
Yesterday’s announcement of the FCA and PRA fines levied on TSB Bank should be a wakeup call for firms who, despite all the regulatory pressure for change in this area, still fail to embed operational resilience and business continuity as a key part of their business and technology change programmes.
Over the years I have encountered some ‘change’ functions that, when planning and designing change, place primary focus on new functionality to benefit the business or deliver additional value/profit, whilst giving little consideration to building controls-by-design and resilience-by-design solutions and approaches. Some firms plan and attempt to deliver and implement change at such a pace that even if they are considering resilience in the solution, not enough planning and testing is performed. Not unsurprisingly, this often leads to failed changes or, even worse, changes that are implemented with a detrimental impact to clients and customers, as was the case here.
The announcement of these fines is a timely reminder to regulated firms that the anniversary of the implementation of this year’s operational resilience regulation is fast approaching at the end of March 2023. There is certainly an expectation from the FCA (it is, in fact, written into the regulation) that firms must maintain their records relating to operational resilience, and this (in my opinion) translates to an ongoing requirement for firms to consider operational resilience on an ongoing basis, not just to tick a box at each anniversary in an attempt to demonstrate regulatory compliance. This clearly leads to a requirement for embedment of operational resilience in the processes a firm operates for delivering change. Regardless of any regulation, why would a firm not want to operate in this way when the benefits of doing so are so clear?
Duration of outage versus duration of harm
The FCA’s news announcement also referenced a period of disruption from April 2018 to December 2018, and that £32.7m had been paid by TSB to ‘redress customers who suffered detriment’. This prompts the question, in the context of current regulation, of how long the duration of ‘harm’ or, for the more unfortunate customers, ‘intolerable harm’, may have been for customers of the bank. How many firms have considered the duration of harm as part of their impact tolerance assessment, rather than simply considering the duration of an ‘outage’? When managing delivery of change, I wonder how many firms consider the thresholds set by the impact tolerances of important business services that will be impacted by the change. Will the change, when successfully implemented, ensure the firm is able to remain within its tolerances? And what if something goes wrong during implementation – how can the firm ensure intolerable harm will not be caused to its customers?
Third party outsourcing risk
The announcement also referenced ‘operational risk management and governance failures, including management of outsourcing risks’.
I won’t dwell on this here; the concern of the financial sector regulators regarding the risks of using third party and outsourced services was the subject of a very recent blog by my colleague Michael Faber (see below for a link to the ‘Third Party and Outsourcing - The Perfect Storm’ blog).
What about culture?
In my experience, both as an employee of and a consultant to financial institutions operating in various sectors of the industry, the prevailing culture that separates business and technology functions has continued through the decades in some firms.
When I first read about the proposed operational resilience regulation back in 2019, I believed it would prompt a step-change in the way firms approach management of change and technology risks, in particular governance over technology risk.
By prescribing that firms identify important business services delivered to their customers and clients as well as identifying all resource dependences in the delivery chain (including technology resources and third parties), the onus must surely be on the business service owners to understand end-to-end what it takes to successfully deliver the service to its consumers. However, in order to effectively manage resilience, firms must also be prepared to break down existing silos, forge a culture of collaboration, allocate appropriate accountability and ensure embedment of responsibility for management of risk and resilience across the entire organisation.
It has always struck me that one of the obvious places for collaboration and effective management of risk should be in any function responsible for change management. This has not always been my experience, having encountered change teams firmly planted at either the business or technology end of the chain, often with inadequate or, dare I say it, no input from Risk, Compliance, Business Continuity Management, Legal, HR and other key stakeholder groups.
Firms that have successfully embedded operational risk and operational resilience frameworks that encompass their change management processes will undoubtedly be more effective in maintaining services to their consumers through implementation of change.
Firms that have worked at removing silos and promote working collaboratively across business functions will no doubt be deriving benefit from ongoing effective management of operational risk, operational resilience and business continuity management. Those that have successfully connected all three disciplines are probably well on the road to management of business resilience as a business-as-usual activity, with staff across the firm understanding the role they play in resilience of business operations.
So, what next?
March 2023 will be upon us before we know it and a year will have passed since the Operational Resilience regulation came into effect. If you haven't thought much about important business services, intolerable harm, resource mapping, scenario analysis and the self-assessment since March, are you confident your firm is appropriately maintaining its records for operational resilience as prescribed in the regulation? Are you ensuring operational resilience is a primary consideration in any change being delivered at your firm?
Why not take a few minutes to listen to our PodCast series from earlier in the year where we talk in more detail about Operational Resilience? (All episodes are available via this News & Views page of the website.)
If you would like to hear more about how Shapes First works with firms to deliver and embed their operational resilience frameworks and resource mapping solutions then we would welcome a discussion.