Change and transformation – a continued threat to resilience?

We find ourselves twelve months on from the primary operational resilience regulatory self-assessment deadline, and now less than two years away from the end of the ‘transition period’ - when the operational resilience framework needs to be fully operational in the regulators’ eyes.

Now is an appropriate time for firms to take stock of their operational resilience journey so far.

Organisations have some crucial questions to consider and address during the transition period: For example, has resilience improved as a result of work undertaken to date? To what extent has the required investment in operational resilience driven insights and value for the business? How can organisations become resilient by design?

While threats from the external environment (such as from a future pandemic, third-party/supplier risks and cyber-attacks) are evident to most financial services executive teams, we think there can be a lack of attention paid to what could be one of the most significant internal threats to firms’ resilience: change and transformation.

Over the last few years, we have witnessed significant business interruptions caused by inadequately managed change delivery. Arguably, it was inadequate management of change that triggered operational resilience regulations; when in March 2018 TSB failed to migrate millions of customer accounts to its parent company's Proteo platform, this left customers unable to access their accounts for several weeks, undoubtedly causing intolerable harm to their most vulnerable customer base. More recently, Facebook's 2021 outage caused by a ‘server configuration change’ prevented its 3.5 billion users from accessing their social media and messaging services for six to twenty-four hours in some cases. Whether lack of access to Facebook caused ‘intolerable harm’, or a net societal benefit, we leave you to consider. Nevertheless, these examples highlight the impact that planned and anticipated change can have on resilience, if not well-designed or well-executed.

While disruptions caused by change and transformation are headline-grabbing, we know there are many more that cause real harm to customers, to the firms that execute those changes and potentially the wider financial services markets. In the FCA's 2021 ‘Implementing Technology Change’ report, they concluded that "failed technology changes are one of the main causes for operational disruption within firms, accounting for a quarter of all high-severity incidents that cause harm to consumers and the market."

Getting your firm to focus on designing and executing change and transformation effectively can be challenging. In the management information provided that we see, we often observe it can be challenging for both boards and executive teams to see ‘the wood for the trees’. Boards in particular can either be left struggling to identify the really significant issues – whether or not they have yet crystallised - or find themselves getting dragged into the mire of detailed operational matters that should be the remit of executive management. Regardless of the current regulatory-driven agenda on operational resilience, effective and efficient oversight of, and reliable assurance about, transformation risks and issues at executive and board level continues to elude many financial services businesses.

It is evident from our work supporting clients during the implementation and transition phases to date that firms have invested significant amounts of time, effort and money to increasing their operational resilience and to satisfy regulatory requirements. However, we haven’t typically seen the same level of focus, rigour and effort being applied to the consideration of the effectiveness of their change and transformation approaches.

Why this is the case is far from simple and, most likely, will be specific to each individual firm’s circumstances – including the nature, scale and complexity of its change portfolio, and its recent experience with change, design and implementation. We feel that – relative to product and process-centric considerations around important business services – this important issue is generally harder to understand and get to grips with and requires a degree of firm-wide thinking that firms can find challenging.

Regardless of the specific reasons applicable to each firm, we think it is vital that firms turn their attention to change and transformation to provide confidence and assurance that impact tolerances will not be breached and customers and critical business functions will not be harmed as a result of any change activities that are being poorly managed. By doing so, we believe this should help many organisations to understand and realise the wider firm reputational and economic benefits they can get from their focus on operational resilience.

There are several areas firms can start considering to future-proof their resilience against the risks that are introduced or amplified by change. We believe there are three main areas for organisations to consider

1. To what extent is resilience at the core of your operating model?
   If an organisation were to aim to be resilient ‘by design’, this would drive how change is prioritised, commissioned and delivered. It would provide increased clarity on how the portfolio of change will either increase, maintain or decrease the firm’s resilience in the widest sense, and enable the firms to make better, risk-based investment decisions.
   
   
2. Do your delivery methodologies for change support or detract from resilience?
   Whether it's waterfall, agile or a hybrid delivery approach, firms need to deploy processes and governance that ensure resilience is considered from initiation through to go-live and embedding, such as having operational resilience non-functional requirements in all major transformation projects, linking project testing with ongoing scenario testing, and upgrading governance gate checklists to include operational resilience considerations.
   
   
3. Is the impact of change on resilience clearly communicated and understood?
   Successful change initiatives require a dialogue, between:

• BAU and change teams - to understand how the proposed change might be expected to impact the resources required to deliver important business services
• the Board and senior management - to ensure the expected benefits and levels of resilience are actually delivered in practice through change that is in line with board expectations and pre-agreed outcomes.

How can Crowe help?

We continue to support clients on their operational resilience transition journeys, helping them to refine their operating models and approaches to create and protect value through more practical, better embedded approaches to operational resilience.

For more information, please get in touch with Keegan Gwendu, Justin Elks or your usual Crowe contact.