Last week the Financial Conduct Authority made an announcement that should be of great concern to business continuity managers everywhere, but especially those working in customer facing financial services. The announcement was that the FCA were issuing a fine of £42 million to the Royal Bank of Scotland, NatWest Bank and Ulster Bank for IT failures which occurred in June 2012 and meant that the banks’ customers could not access banking services.
The actual cause of the IT incident was a software compatibility problem that impacted upon over 6.5 million customers in the UK for several weeks. Over the course of that period customers could not use online banking facilities to access their accounts or obtain accurate account balances from ATMs, were unable to make mortgage payments and were left without cash abroad. The banks applied incorrect credit and debit interest to customers’ accounts and produced inaccurate bank statements, and some organisations were unable to meet their payroll commitments or finalise their audited accounts.
The FCA found that the underlying cause of the IT failure was that the banks’ did not have adequate systems and controls to identify and manage their exposure to IT risks. In particular there were inadequate testing procedures for managing changes to software; the risks related to the design of the software system were not identified; and the IT risk appetite and policy was too limited because it did not focus enough on designing systems to withstand or minimise the effect of a disruptive incident.
Business continuity managers listen to this part! The reason the FCA gave for taking action against the banks was for their failure to put in place resilient IT systems which could withstand, or minimise the risk of, IT failures. They also specifically stated that the decision reflected the FCA’s commitment to ensuring that banks make the cultural shift away from “business continuity” (recovering from disruptive events) to “resilience” (ensuring that the banking activities most critical to customers can withstand the effect of disruptive events like software and other IT failures).
This shift away from business recovery and towards business resilience reflects a trend already underway within the business continuity industry, but the multi-million FCA fine puts something of a rocket booster under it. If regulators are going to level such mega fines for failures by organisations to properly risk assess business continuity threats and implement mitigating measures, then business continuity managers need to raise their game and very quickly. Fortunately help is at hand. The Crises-Control app is a tool that can help, not only in responding to a crisis, but also in building a responsive, resilient team that can anticipate and prevent crises from happening in the first place.
Sources: BBC, Computer Weekly