80% of all major incidents have their root cause in change, but this is still not considered by many to be a major resilience concern. It has always been the focus of enterprises and regulators to reduce the risk of incidents, so why are so few of them focusing on the link between release and resilience?
These three recent articles highlight how some regulators and organisations are starting to realise the importance of good change management to resilience, but some aren’t quite there yet:
In July 2018 the Bank of England and the FCA released a paper that highlighted the financial system’s increasing reliance on technology and data. The paper shows a clear shift in focus towards decision making and holding people accountable. It shows an understanding that things will go wrong and there is no such thing as 100% technical resilience.
The takeaway: technical resilience is great, but you can’t rely on technology alone. When major outages happen you don’t see a system or piece of software on the news. It’s always a person who has to be held accountable so it’s worth thinking about this in regards to preventing outages.
At the beginning of this year, the Treasury Select Committee launched an inquiry into banking outages. They asked for evidence from financial services firms to help them understand why the number of these outages is increasing. Despite much of the feedback from banks highlighting the role of change in causing outages, the inquiry seems to overlook this as a cause.
The takeaway: look at the evidence - change accounts for 80% of major outages yet is not considered in the inquiry as one of the major concerns - at least not thus far. Is this the case in your own organisation? It’s worth focusing more on improving change management to prevent outages and less on disaster recovery after the fact.
Banks are having to constantly change and evolve to remain competitive, but this comes with increased risk. The OCC recognises that outages and vulnerabilities are more often than not a result of change, whether planned or unplanned.
The takeaway: increasing the rate of change in your organisation may be a necessity, but so is a high level of resilience. Whatever benefits a new innovation may bring will be undercut by an outage that affects customers, costs money and damages reputations.
Although some regulators and enterprises are catching on to the importance of resilient enterprise change management, they’re not all the way there yet. This may be because they’re unsure how they can improve their change process to make it more resilient.