Key operational risk management lessons from one of the largest IT system disruption event in UK financial services industry @TSB in April 2018

On 19th Nov 2019, TSB released a report authored by the legal firm - Slaughter & May. The report captures the findings from an independent review into the large-scale system disruption event experienced by the bank in April 2018. You can access the full report from this link. Below are some of the key operational risk management lessons learnt from this event: - 

1.   Senior executives took key business decisions that had significant impact on the bank's future without adequately considering the risks associated with those decisions. In March 2015, TSB received a takeover offer from Sabadell. Soon after announcing the offer, Sabadell indicated that it intended for TSB's systems to be migrated before the end of 2017. At this stage, Sabadell did not have detailed knowledge of TSB's requirements. TSB’s Board and senior executives recognised that the proposed timelines were not realistic but still they embarked on the project and the timelines were not revised for 2 years. It seems Sabadell senior executives were overconfident in their capabilities and TSB senior executives did not want to strongly challenge their new owners in the early days after the acquisition. The combination of these two factors (in my opinion) sowed the seeds of failure that would culminate in one of the biggest IT system disruption event in UK financial services history. 

2.   Senior executives failed to adjust their plans and decisions even when more information on risk exposures was available and significant level of delays and cost overruns started occurring. This can happen on projects where the senior executives at the highest level of an organisation decide on a project timeline and the rest of the organisation start considering such timelines as "holy". Any challenge to the timelines can be treated as a challenge to the senior executives and can be perceived as "political suicide". It is common in such situations for everyone on the project to just keep their heads down and continue to work fully knowing that the timelines are not achievable. However, this is where the 2nd line Risk Oversight and Internal Audit functions should have played their role. The investigation highlights that both these functions continued to give a satisfactory rating to the project that created a false sense of assurance for the board and senior executives.The bank had implemented the 3 lines of defence model which is considered as "best practice" within the financial service industry - but it spectacularly failed in this instance. 

3.   The Chief Risk Officer and the senior executives at TSB recognised in the early phases of the project that they did not have adequate capabilities in their 2nd line risk oversight function to challenge the project team on the risks associated with undertaking one of the most complex and ambitious IT system project in the UK. This highlights the risk of "not having adequate level of risk management challenge capabilities within the organisation" which you won't find in most risk registers of financial services firms. 

4.   The project team identified a total of 22 risks associated with the project. However, the risks were defined in a very generic way such as "Excessive complexity", "Resilience", "Management stretch", "Cost increases", "Customer", "Fraud", "Use of 3rd parties", "Planning", "Design", " Financial synergies", "Payments landscape" and "Reputational damage". It is shocking to see risks of one of the biggest and most complex IT projects of the bank being managed at such generic level. It is very difficult to assign risk owners and assess such generic risks and even more difficult to define effective controls. 

5.   The board and senior executives did not fully understand the key components of the biggest IT project being implemented in their firm. They assumed that their IT service provider was customising an existing tried and tested retail banking software for TSB's business requirements. They did not realise that the IT service provider was building a new ground-breaking banking software and TSB would be the first organisation to use this new software. It is mind boggling that with 1,400+ people working on the project and multiple committees running the project, no one escalated this critical piece of information up the management chain. 

6.   The event highlights the risks associated with IT projects involving large number of third parties. The project involved over 70 third party suppliers. Large number of third parties significantly increase the complexity levels of a project resulting in excessive level of risk exposure. 

7.   The event also highlights the risks associated with utilising an IT system vendor firm that is part of the group. TSB is owned by Sabadell Group and engaged the group's internal IT services provider SABIS for the project. As SABIS was part of Sabadell Group - TSB did not perform an adequate level of due diligence on the capabilities of SABIS, which it would have done had it engaged a third party supplier. It also did not adequately challenge SABIS during the project which it presumably would have done with a third party supplier. This is a common scenario for foreign banks operating in the UK where they have to rely on their group IT teams for major IT system changes. The event at TSB highlights that the UK legal entities of foreign banks should treat their group IT teams with the same level of rigour as they would to a third party. The level of due diligence and challenge should not be diluted for group IT teams as this can create a false sense of comfort and risk blind spots. 

The team at RiskSpotlight is in the process of documenting the key operational risk management lessons from this event that will expand on the above points and include other areas of focus. We plan to publish this in the first week of February 2020. If you are interested in receiving this report then please send an email to [email protected] with the subject "TSB Report". 

If you are interested in monitoring emerging operational risk topics and incidents as well as having access to our in-depth analysis then register for a two-months free trial of our web-based operational risk horizon scanning service "RiskSpotlight Portal" from this link.