Counting the cost of IT failure


Inside the enterprise: Banks, telecos and healthcare providers are just some of the UK's businesses that face ever tighter regulation.

Naturally, we expect providers where lives are at stake in healthcare, but also water and energy, and transport to be regulated.

But companies whose goods and services we all depend on including utilities and other "critical national infrastructure (CNI)" providers are also facing greater regulatory and government scrutiny. And that scrutiny is extending to how they operate their IT.

Regulators have a responsibility to ensure safe products, whether they are trains, pharmaceuticals, or energy supplies. And they have a responsibility to ensure competition.

But increasingly they are also focusing on ensuring the safe and reliable operation of the services they supervise. And that is extending beyond the utilities and healthcare, the core of conventional CNI, to industries such as telecoms and banks.

This,, is the background to the news that regulators are fining RBS Group a total of 56 million, for an IT failure back in 2012. Banking regulators have made the headlines regularly over the last few years for fining banks for their conduct: payment protection insurance, and foreign exchange rigging being just two examples. RBS itself was recently fined 217 million for manipulating exchange rates.

Fines for IT failures are rarer, but they could become more common, as regulators take a tougher line on failures that put consumers at a disadvantage. The RBS Group which runs NatWest and Ulster Bank fines stem from a failed software upgrade that locked customers out of their accounts.

The fines consist of two penalties: 42 million from the Financial Conduct Authority, and a further 14 million from the Bank of England's Prudential Regulation Authority.

RBS Group has already admitted it has IT issues and the failure in 2012 was not the only one. The banking group also suffered outages at the end of 2013, and the company's CEO blamed under-investment in technology for the problems.

It is possible the bank will face further regulatory sanctions as a result of this and for another outage in March 2013, which locked the bank's customers out of cash machines. Certainly, RBS has had to make provisions, above and beyond the regulators' fines, for compensation: it set aside 125m to cover the 2012 incident alone.

RBS Group's problems should serve as a lesson, both to companies operating critical infrastructure and in regulated industries. Regulators are not going to stand by while services fail and customers are disadvantaged. And blaming computer systems is no excuse.

The FCA's announcement of its sanctions against RBS Group make for interesting reading.

The regulator found that the "underlying cause" of RBS' problems was "the Banks' failure to put in place adequate systems and controls to identify and manage their exposure to IT risks", and that these went deeper than the software failure alone that caused the glitch.

RBS, the FCA found, failed to properly understand IT risk and apply risk management policies, as well as to build in enough resilience to ensure the bank could continue to operate in the event of a problem.

There is an old saying: "fail to prepare: prepare to fail". Even without regulatory fines, it is cheaper to have contingency plans than face the consequences of IT failure.

Stephen Pritchard is a contributing editor at IT Pro.