In our previous blog post, Is Treasury Committee Banking Inquiry Missing Root Cause of Outages?, we questioned whether the UK Treasury Committee’s inquiry into banking outages was missing the most important root cause of major incidents in financial services: change. The Treasury Committee is one of the 19 Select Committees related to Government Departments and chooses its own subjects of inquiry. It is unsurprising that the committee has chosen to investigate banking outages, as IT outages rose 138% in 2018. Although 80% of major incidents have their root cause in change, improving the change management process is often not considered as a way to reduce regulatory risk. However, views on this may be starting to change.
The US OCC’s Fall 2018 Semiannual Risk Perspective highlights the risks posed by an increased rate of technology change. It advises financial institutions to work towards better change processes in order to avoid outages and regulatory repercussions. The report states: “The OCC has linked many risk assessment concerns to weaknesses in change management processes.”
This shows a clear recognition by the regulator of the risks created by change, including the risks of incorrectly completing regulatory change:
“Regulatory changes may necessitate modifications to existing operations, policies, procedures, and systems. These changes may result in significant compliance and reputational risk if not implemented correctly and with appropriate change management processes.”
The report also recognizes the factors that have led to an increased rate of change, further increasing the risk of outages due to poor change management. According to the OCC, the key challenges that elevate risks include “strong competitive pressures from banks and nonbanks” and “rapid technological innovation”. These are both factors that lead to an increased rate of change, and therefore more opportunities to make mistakes that could lead to major outages. The speed of IT delivery decoupled from collaboration with people is also a big part of the problem. Change only becomes adopted and monetized at the rate of the slowest moving contributor, such as an operations team going through updated compliance training.
Therefore all banks face a dilemma: more change equals more risk, but without change, they stagnate and fall behind fast-paced technological innovation. The OCC’s report acknowledges this issue:
“While evolving technologies can benefit banks and their customers, they can also disrupt bank business models and pose risks in many areas.”
The industry dichotomy between resilience and high-velocity, high-volume change is starting to dawn.
Change management is much more than technical delivery or a governance process. Without a solid foundation of enterprise change management capability, high-volume, fast-paced change is a significant risk. According to former Treasury Official and regulatory advisor Jonah Crane, “if speed is your objective it can end up tripping you up.” He commented that “many financial institutions are trying to do things the same way but faster, which is how things break.”
The report from the OCC shows the changing attitudes of regulators towards enterprise change management: “The OCC has linked many risk assessment concerns to weaknesses in change management processes.” Change management is becoming a major regulatory concern and addressing ways to reduce risk in this area is likely to have a much greater positive impact on resilience than focusing on damage control after a mistake has been made:
“Operational disruptions underscore the need for effective change management when implementing new products, services, and emerging technologies.”
Improving change management is essential and human and technology orchestration is key to this. Rather than focusing purely on delivering new technology, enterprises should also focus on empowering people with the tools and data they need to be successful. There needs to be orchestration between humans and technology to reach full maturity and the maximum level of resilience.
Cutover is an enterprise change management platform that allows you to strategically plan, orchestrate and manage change with transparency and control. This helps you improve your change and release processes and your level of resilience against incidents.
Richard Bell is a cofounder and director at Cutover. He is the former IT COO & Deputy CIO for Barclays and has over 30 years of Financial Services experience, including the delivery of many international change programs across Investment, Commercial, Wealth & Retail Banking.