WHY RESILIENCE IS NOW A BOARD-LEVEL ISSUE FOR THE FINANCIAL SERVICES INDUSTRY
By Brian Hayes
In late 2013, Royal Bank of Scotland suffered a three-hour outage that left more than a million customers unable to access their cash – the third such major outage in just 18 months for the bank, according to the FT. In grappling with this, the FT notes that RBS has announced a nearly 25% increase in its multi-billion pound IT budget to shore up its systems, along with pledges to compensate customers left out of pocket. The issue left the bank’s CEO, Ross McEwan, branding the situation as “unacceptable”.
While RBS has the scale to cope with issues like this, other financial institutions have been less fortunate. February saw the collapse of Japan-registered Mt. Gox, a major global Bitcoin exchange, after revealing that it had “lost” nearly half a billion dollars worth of the virtual currency, according to Reuters, thanks to fundamental flaws in its operating systems and processes.
These glitches highlight how vital the issue of business resilience is for banks and other financial institutions today, not only for operational risk managers—but at a board level too. At a fundamental level, the issue of resilience has moved on from being something associated with simple disaster recovery, to the ability of a business to adapt and respond to unexpected disruptions, demands, threats or potential opportunities – without any impact on the business.
What is driving all of this? Three underlying changes in the reality that banks and other financial institutions face today, which in turn is making resilience as an issue of the utmost importance.
1. Banks face far greater transparency on any customer impact. In the past, an offline ATM or shuttered bank branch was hardly likely to prompt much of a visible impact. But today, when a bank’s online systems or app goes down, there is an immediate and tangible response, fuelled by Twitter and social media, as consumers voice their frustrations. In Japan, for example, both the public and regulators excoriated the leadership of Mizuho, a major Japanese bank, after persistent systems troubles in the wake of the 2011 tsunami, with the company’s president stepping down as a result.
In nearly all outages today, banks are forced to publicly respond to any issues in a public forum like Twitter, to keep pace with consumer complaints. National Australia Bank’s 2012 systems outage resulted in the bank having to respond to customer complaints via Twitter. In January this year, the UK’s Lloyds Banking Group ran into similar problems, with CEO Paul Pester taking to social media to update customers in real time on how the bank was working to resolve the problem.
Unsurprisingly, Lloyds lists the resilience of its systems as one of four principal risks facing the business, describing it as being of “paramount importance”. Quite simply: when every customer has an instant, global broadcasting platform, the impact of any failures has a potentially huge ripple effect. Banks cannot simply hope to brush an issue under the carpet, or hope that others won’t notice.
2. Banking services are now seen as a utility. The second reality is that banking today is more like a utility – a 24×7 service for consumers, just like their electricity or Internet access. If you feel like paying your bills at 1am, you should be able to do so – just as you’d expect the water and lights to turn on then.
Unlike traditional utilities, though, customers will start switching over to rivals far more rapidly when a service goes down. If the trading system of an online broker goes down, customers will immediately start to seek alternative trading channels – and may well switch altogether if their trust is sufficiently damaged – resulting in a permanent loss of customers. A retail bank may work hard to ensure its physical branches are open during office hours, but resilience carries through across all digital channels. Today’s consumers are far more likely to reach for their smartphone banking app than they are to try and ring their bank manager, or meet them in a branch. This makes multi-channel resilience a vital part of business today.
Unfortunately, however, few banks are yet truly set up to run this way. Many still rely on legacy systems that were never meant to deal with an always-on world, but were instead designed for standard officer hours to support branch banking. In today’s digital era, those times are over.
3. Banking regulators have now grown teeth. Resilience as an issue in the past rarely involved any regulatory risk for banks. There was little consistency of rules across differing jurisdictions, and penalties were rare. This is changing: both the rules and the penalties are getting clearer on what is expected of a bank’s performance.
Regulators are also backing up such demands with a far greater ability to conduct forensic assessments: so whereas a bank may previously have been able to simply offer various reassurances, they are increasingly likely not to be tested on this.
Furthermore, any rulings or penalties assessed to one bank are often considered to be applicable to any bank operating in the same area. In short, one bank’s resilience failure in a given area becomes a consideration for all banks, each of whom can expect to be grilled by market authorities on the same issue. In short, regulators are now much more vigilant, more demanding, and more capable of assessing an organization’s ability to meet those requirements.
Turnaround time: Think simple
How, then, to overcome these challenges? The first key thing to realize is that this is not solely an IT or technology problem, it’s a wider business issue. RBS CEO Mr McEwan recognizes this, explaining in a recent interview with The Telegraph that simplicity lies at the heart of his turnaround plans for the bank’s woes: simple products, simple business structures, simple processes – all underpinned by a simpler technology back-end.
However, when asked about their business resilience, too many leaders still first think about their business continuity policy, or aim to dust off their disaster recovery systems. This is wrongheaded. Disaster recovery and business continuity systems are all focused on ensuring a strong response to a crisis. But in today’s world, real business resilience requires a proactive and preventative approach, led right from the top of the business, to grapple with an issue before it emerges. This also demands a broader change in culture, which is often one of the toughest aspects of resilience to try and change.
Of course, no bank would ever admit to not having a proactive approach to resilience. But the problem is that this concern typically bumps up against the challenge of banks being under huge pressure to deliver their services more cost effectively, which in turn results in corners being cut. Many bank chiefs have admitted to having underinvested in their systems for years, while failing to properly consolidate multiple overlapping systems after prior mergers and acquisitions.
But if a bank truly gets its senior executives engaged in how to build a simpler, more resilient business for a digital world, they’ll also discover new opportunities for cost saving. This is especially true when they avoid the far larger reputational costs associated with rebuilding the loss of customer trust following a major systems outage in an era when people no longer find this acceptable.