This article was paid for by a contributing third party.More Information.
The importance of getting technology change right
Need to know
- Covid-19-propelled digitisation is increasing the number of technology change projects.
- Failed technology changes are more serious than other change management failures and they are likely to impact customers.
- Identifying why projects fail, continuing investment and change, using cloud technology and having robust governance arrangements are all vital to reducing the number of incidents and their impact.
- Having in place a robust IT or cyber risk incident response plan, including required third-party support, is essential to mitigate fallout from failed IT change management or other IT and cyber risk incidents.
Christoph Kurth, partner and member of the global financial institutions leadership team at Baker McKenzie, covers some of the rapid technological changes under way brought about by, and in the wake of, the Covid-19 pandemic
Technology change on steroids
Technology in financial services is no longer limited to fintechs. Its adoption is a vital component of every financial institution’s business model in responding to disruptive competitors, meeting higher customer expectations and reducing costs. We have been living in the fourth industrial revolution for some time, but Covid-19 has further accelerated the digitisation of financial services – some commentators consider parts of the industry have advanced five years within the space of just one year – and, inevitably, installing new IT brings new opportunities, but also risks. Given the intensity of technology changes being put through at a fast pace with stretched resources, the usual risks may be elevated, particularly where there are new technologies. Operational risk managers must design and put in place effective processes to identify, manage and monitor them – during and after change. The increased expectations of financial institutions in this respect are growing, as reflected in an increasing number of regulatory requirements.
Technology change management review
The recent publication by the UK Financial Conduct Authority (FCA) of a cross-financial services review into technology change management is timely and welcome. While the organisations surveyed are UK licensed, the findings are relevant to all financial institutions wherever they are regulated. The review considers how financial institutions manage IT change, the impact when changes fail, and how to reduce their number and seriousness. It aims to identify ways in which related operational risk can be reduced.
With increased dependency on digital services, even short-lived incidents, such as a denial of service, can cause significant disruption, reputational fallout and regulatory exposure. According to the FCA survey, failed IT changes are generally more serious than other change management failures, and even low-level incidents – especially when they are customer-facing – can trigger potential regulatory investigations and public enforcement action. Most financial institutions, other than fintechs, still rely on legacy infrastructures, and replacing them is associated with the highest failure rate in change management. It is for this reason many institutions are reluctant to migrate to new systems when, despite much planning and preparation, there are too many examples of problematic outcomes. On the other hand, more promisingly, cloud technology is being rapidly adopted. While it has advantages and disadvantages, it can reduce the risks involved with technology change.
The FCA review confirms that there is no one-size-fits-all solution to successful change management. Nevertheless, it confirms that robust governance arrangements and ongoing investment into technology beyond any given change life cycle are central to reducing the number of incidents and their impact.
Drivers of change
What are the drivers of change? The review found the most common reasons for technology change were maintenance and upkeep, satisfying regulatory and legal requirements, followed by improvements for customers – for example, to improve their experience of a service with new interfaces and additional functionality. Other drivers include costs and company growth, which is especially relevant for fintech entrants as they begin to scale up their operations and customer base.
Risk characteristics
Where should financial institutions focus their efforts to reduce the risks associated with change management projects? The evidence shows there are a number of key characteristics shared by all high-risk projects. Some of those identified by the FCA review are unsurprising. These are projects with external dependencies, where there are tight deadlines or poorly defined goals, as well as matters characterised as ‘major’ projects, where complexity and a failure to break them up into more manageably sized projects increases the risk profile. Of special interest are projects that involve replacing legacy technologies. These have been ‘patched over’ for many years and work alongside newer applications – a particular issue with traditional banks and insurers – and those involving unused technology within an organisation or employing emerging technologies, such as blockchain, artificial intelligence and machine learning.
Another category bearing elevated levels of risk are those projects with substantial numbers of staff located offshore. In this regard, the role of third parties is not always factored in sufficiently and clearer communication on their responsibilities is needed. Increasingly, and more so in sectors such as payments, reliance is on unregulated companies providing technology or technical services to the financial sector, another important risk factor.
The importance of governance
Many financial institutions use governance bodies (change advisory boards) to support the assessment, prioritisation, authorisation and scheduling of changes. The use of change management by financial institutions is also not new. In fact, the review found that most entities surveyed actually had in place “rigorous governance arrangements”. A key takeaway is that, while less than 2% of technology changes go wrong, due to their sheer number their impact is significant, with 14% of these resulting in customer impacts.
As organisations speed up digitisation to enable remote working, the shift of customer preferences to digital channels and investing to improve efficiency, boost productivity and profitability, senior management must plan the implementation and risk management of change projects with extra care. The effective use of project management is also critical to achieve a high rate of success with change management, not least in ensuring that strategic objectives are met, ensuring high standards of risk management and quality control.
Effective governance starts with senior managers who should take steps to secure an effective operational environment. Here, governance arrangements that have been in place longer tend to enjoy a higher rate of success. A caveat is that such arrangements should not be left to themselves. As opposed to ad hoc reviews, best practice means regular reviews to ensure they remain adequate for the task, which may itself evolve when technology and business models continue to adapt as quickly as they are currently. Besides senior management, non-executive directors should bolster governance by challenging change plans. While the board is ultimately responsible, the chief operating officer or another member of senior management should have direct and specific responsibility for managing technology change. Of course, some jurisdictions such as the UK impose prescribed responsibilities on senior management function holders, who will be liable when things go wrong if they have failed to take reasonable steps.
The importance of continued investment and change
The FCA review also reveals a direct correlation between lower levels of legacy infrastructure and the success rate when implementing technology change. Moreover, financial institutions with less legacy infrastructure are less likely to have to install IT changes in an emergency, and those changes tend to be more successful – a virtuous circle. By their nature, emergency changes are carried out with speed, increasing the margin for error and risk, exacerbating any existing weaknesses. Clearly, therefore, investment in renewing and deploying up-to-date technology brings advantages beyond its inherent efficiencies and capabilities. Hence, a reluctance to invest in IT is a false economy. The review data shows that financial institutions investing a high percentage of their IT budget in change activities tend to make fewer changes that give rise to issues. The principle of ‘little but often’ has its rewards. The concept of regular updates is a reminder that managing the risks of change as part of everyday project management is more likely to be successful in comparison to using risk management on a one-off basis.
Cloud-based infrastructure
Public cloud service providers are fast becoming part of the financial infrastructure. They provide on-demand computing services and infrastructure managed by third parties shared with multiple entities. Financial institutions are becoming progressively more dependent on cloud because of its ability to reduce costs, enable businesses to adopt and scale new technology on demand, accelerate digital transformation and facilitate mandatory data analytics. Although they can result in a lower level of oversight and direct control, an additional benefit of change management with cloud is that it allows for more frequent change cycles and greater automation, as in repetition and consistency. This not only reduces the need for ‘big bang’ changes and lowers the manual risks around technology change, but also improves the ability to respond when something goes wrong.
The importance of incident readiness
Even the best-managed change project does not guarantee frictionless implementation, and even frictionless implementation of change is no guarantee for ongoing operations without friction. Because of these realities and the ever-wider use of technology, it is recognised that the management of operational IT risk and its counterpart, operational IT resilience, are increasingly important. This is reflected by the emphasis regulators place on adequate systems and controls, management reporting and clarity over senior manager responsibilities. This is against a background of recent high-profile failures in technology change management that have led to significant levels of disruption and customer detriment. Accordingly, it is essential that, during the change process and beyond, financial institutions have robust IT and cyber incident response plans in place. As a starting point, financial institutions should identify their key business services, including people, processes, facilities, information and, in particular, the technology that support these services. They must have clear governance around each technology, a clear understanding of the data these technologies process and how the process can be controlled or control recovered. Part and parcel of a robust incident response plan are also unambiguous escalation and reporting procedures, a solid understanding of reporting obligations and the instantaneous availability of trusted partners that can be brought in to help manage an incident whenever and wherever it materialises, including forensic firms and law firms.
While customers might benefit from a stronger operating platform in the future, if technology change results in service disruption, or an increased technology risk profile post-change is not managed properly, regulatory and reputational fallout from technology failure or vulnerabilities will obscure the benefits to the business for some time. The opportunities that new technology brings requires improved operational risk management capabilities and practices. This is particularly true during this current time of rapid change.
Read more about Risk.net’s Top 10 operational risks for 2021
Sponsored content
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net