FCA Review: Implementing Technology Change
The FCA are due to publish their Policy Statement on Operational Resilience in Q1 2021, and in anticipation of that, this week we’ll review the FCA’s proposals on operational resilience - first proposed in 2018 - and their more recent review in implementing technology change within firms. Taken together, the findings on both subjects provide a very clear roadmap for planning and implementing successful technology changes and preventing operational disruption as technologies and ways of working continue to change.
The most recent review looks at how firms implement technology change – something that most firms have had a lot of experience with over the previous twelve months – and what happens when the changes don’t go to plan. The FCA says that the review reveals that failed technology changes are one of the main causes for operational disruption within firms, which accounts for “a quarter of all high severity incidents that cause harm to consumers and the market”.
The intention of the report is to offer some support and guidance to firms that are assessing future technology changes and which could benefit from the Regulator’s findings on how to reduce the frequency and severity of disruption due to technology change activity.
The change of pace in the use of technology in financial services has increased dramatically. The recent Woolard Review highlighted that regulatory change is somewhat out of step with innovation and more recent technological norms – an issue that will be considered and decided on in due course – but in this technology change review, the FCA aim to give guidance on a good balance between innovation, improvement of service and lower costs, and the operational risks that come with change.
In short, the FCA found that the following characteristics tended to have higher change success rates:
Firms with well-established governance arrangements have a higher change success rate
Firms that allocated a higher proportion of their technology budget to change experienced fewer change related incidents
Frequent releases and responsive delivery can help firms reduce the likelihood and impact of change related incidents
Effective risk management is an important component of effective change management capabilities – firms that continually manage risks as part of day-to-day project management were more likely to have higher change success rates than those with an ad-hoc approach.
Some common practices were linked to change failures. In particular, failing to review any changes that were taking place in third-party firms was an issue, with over 20% of incidents at third-parties caused by change. Similarly, relying on high levels of legacy technology is linked to more failed and emergency changes. The review highlights the importance of ensuring that potential and future technology changes and the communication of any changes are borne in mind when contracts are drawn up.
Interestingly, the review also noted that where firms were reliant on manual testing and review, issues could arise, and the Regulator suggested that “repeatability and consistence” throughout the change cycle – and the implementation phase – could lead to more successful outcomes.
And perhaps unsurprisingly, changes deemed to be ‘major’ were twice as likely to result in an incident. Whilst this is in some part due to the fact that most major changes are very complex, the review also highlighted that one key assurance control regularly utilised was the Change Advisory Board. As the CAB has approved over 90% of the major changes it has reviewed, the FCA state that this high ratio that doesn’t reflect success in practice raises questions over its effectiveness.
The underlying theme of the FCA’s operational resilience consultation is that some business disruption can be tolerated, but that the firm should organise business to ensure that any impact on customers is limited, with continuity of services a key aim. The consultation proposes that firms identify important business services – those that if disrupted could cause harm to customers - and then set impact tolerance levels beyond which disruption would cause intolerable levels of harm. After this, firms should test how well they are able to remain within the impact tolerances in a number of both severe and ‘plausible’ disruption scenarios.
The issue with incidents arising from change is how significantly they can affect consumers, who are increasingly reliant on digital methods for accessing financial services. Although a relatively small number of incidents that affected customers related to change, of those incidents classed as ‘high severity’ almost a quarter were due to change. To help reduce the impact on customers, the FCA suggest that having comprehensive, well-tested roll back plans, which should include internal and external communications to tell people what alternative channels are in place, is a key resource.
Firms should also be aware of the correlation between the length of time technology change governance arrangements have been in place, and higher success rates. The FCA found that firms that “had governance arrangements in place for more than a year experienced a lower proportion of incidents resulting from change when compared to peers with newer arrangements.” Challenge from technical experts and from Non-Executive Directors and both periodic reviews and ad-hoc reviews of processes as a result of lessons learned were also presented as positive arrangements.
The final policy statement is due by end of March 2021. Although there is likely to be an implementation period, new requirements are useful to bear in mind when planning for 2021/22.