In April 2018, TSB Bank plc, a UK retail bank, updated its IT systems and migrated the data for its corporate and customer services on to a new IT platform. The company’s IT migration programme was an ambitious and complex IT change management programme. While the data itself migrated successfully, the platform immediately experienced technical failures. This resulted in significant disruption to TSB’s banking services. A significant proportion of its 5.2 million customers were affected by the initial issues, and it took several months to return to business-as-usual.
Operational disruption can cause wide-ranging harm and it is critically important firms invest in their resilience. The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) fined TSB £48.65m for operational resilience failings. The regulators found that TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements.
Operational resilience refers to the ability of an organisation to continue operations through adverse events or changing business conditions. It entails adapting and responding to as well as recovering and learning from operational disruptions, including a cyber incident, natural disaster, system failure, or sudden change in market conditions.
Building operational resilience
- User: Building resilience is not just an exercise in compliance but should be a cultural shift across the board. It needs to be developed as a guiding principle for all personnel, from C-suite to IT professionals.
- Business: Enterprises need to conduct operational risk management to identify and prioritise targets of resilience measures and need to map interdependencies to between the enterprise and its partners, vendors, customers, workers, departments, and business units.
- IT: Organisations need to perform resilience testing to measure readiness for various challenges and use the results to assess risk and develop mitigation strategies. These mitigation measures help enterprises establish IT systems resilience.
According to a McKinsey research, companies report that one month or more of disruptions occur every 3.7 years, resulting in losses worth almost 45 percent of one year’s EBITDA over the course of a decade.
The Financial Conduct Authority (FCA), therefore, has published operational resilience requirements for firms and created a broader self-assessment questionnaire to help firms understand their operational resilience capabilities, including their cyber capabilities.
Photo by Alex Shute
