For those in the finance sector the migration to a new banking system is a critical and complex process that demands thorough planning, detailed risk management and precision execution. It is likely to be one of the most challenging projects any CIO will undertake, because a truly successful migration ensures a seamless transition with minimal disruptions to business operations and customer experience.
However, the Prudential Regulation Authority (PRA) fine that Mr Carlos Abarca, Chief Information Officer (CIO) of TSB, received for ‘failing to adequately manage an IT migration in 2018 which led to disruption for millions of customers’ according to Reuters, suggests the need for a comprehensive review of the lessons learned and the potential personal consequences that not doing so might expose senior personnel to.
Botched IT System Migration Project
In this article, we will explore the key issues identified during the migration in question, the importance of each one and the steps that could have been taken to mitigate them.
Background of the TSB Migration
Leading UK retail and commercial bank, TSB, suffered severe disruptions, financial losses and reputational damage as a result of a significant IT system migration that did not go according to plan.
A report from the PRA details the relevant statutory and regulatory provisions that TSB and Mr Abarca fell foul of. These include the PRA’s general objective to promote the safety and soundness of PRA-authorised persons and the conduct rules for individuals performing senior management functions or certification functions. The CIO’s responsibilities and potential liabilities are outlined within this regulatory framework.
The Role of the CIO in the System Migration Process
It’s reported Mr Abarca played a critical role in overseeing the migration process. The PRA report identifies key issues that emerged due to a lack of objective and independent evidence-based due diligence by TSB’s CIO. The importance of a proper risk assessment, governance, platform readiness, and operational resilience are rightly emphasised in the report as critical factors in successful migration projects.
- The Importance of Risk Assessment and Management
One of the key lessons we can take from the TSB migration project is the need for comprehensive, objective, independent, critical friend risk assessment and management. Fresh eyes can often be better for identifying potential vulnerabilities and developing strategies to mitigate them. As a result, organisations can better prepare for, and navigate, complex migration projects.
The report emphasises the importance of strong governance structures and oversight throughout the migration process. By defining clear roles and responsibilities for all stakeholders, setting up dedicated migration steering committees and implementing robust project management frameworks, organisations can maintain control over the migration process and ensure successful outcomes.
- Platform Readiness Assessment
A comprehensive assessment of the new platform’s readiness, including functionality, scalability and resilience testing, was identified as crucial for reducing the likelihood of issues arising during the migration process. The report highlights the important role vendors and experts can play in identifying and addressing gaps or deficiencies in the platform before the migration takes place.
- Operational Resilience and Contingency Planning
The report underscores the importance of developing contingency plans, conducting regular risk assessments, implementing measures to minimise the impact of disruptions on customers and the financial system, and to maintain business continuity.
Professional Services for Complex System Migration Projects
The report also highlights the value of engaging with professional services firms that specialise in providing assurance in complex migration projects.
These firms can help organisations identify and address the role of “Expert” providers and their “Duty to Warn”, as well as potential liabilities and ensuring a smooth transition to new banking systems while also mitigating the risks associated with large-scale migrations.
Key Issues Identified During the System Migration Crisis
Below we explore the four key issues that emerged during the TSB migration crisis, highlighting the significance of these concerns for CIOs in the financial services sector.
We also discuss the potential personal liability consequences of neglecting these crucial aspects and provide recommendations that could have improved the outcome of the migration project for all concerned.
#1. Inadequate Risk Assessment and Management
The importance of conducting a thorough, objective evidenced-based risk assessment and implementing a robust risk management plan was highlighted. A comprehensive risk assessment would have identified potential vulnerabilities in the migration process and provided recommendations for mitigating them. The CIO failed to perform this crucial task, resulting in unanticipated issues during the migration and subsequent disruptions to the banking system.
- Why it is important: A thorough risk assessment is critical for identifying potential issues that could arise during a migration project. Without this, organisations are left vulnerable to unforeseen complications that can lead to significant disruptions and financial losses. A robust risk management plan provides a framework for addressing these vulnerabilities and ensuring the successful execution of the migration process.
- What could have been done differently: The CIO could have undertaken a thorough risk assessment prior to the migration, engaging with stakeholders, vendors, and experts to identify and fully understand the inherent risks of the migration project. With their insights and support, he would have been better placed to devise a robust risk management plan to address all potential issues. Implementing this plan would have helped prevent many of the issues subsequently experienced.
#2. Insufficient Governance and Oversight
The crisis also revealed the need for proper governance and oversight throughout the migration process. A strong governance structure would have ensured that all stakeholders were well-coordinated, project timelines were met and vendor performance was monitored and evaluated. A lack of independent and objective governance and oversight in the TSB case contributed to the migration failures and further exacerbated the issues faced by the bank and its customers.
- Why it is important: Proper governance and oversight are essential for maintaining control over the migration process and ensuring that all stakeholders are aligned and working towards a common goal. Strong governance ensures that the project remains on track and potential issues are addressed promptly, mitigating risks and minimising the impact they might have on the organisation and its customers.
- What could have been done differently: The CIO could have established a robust governance structure that ensured proper oversight throughout the migration process. This would have involved defining clear roles and responsibilities for all stakeholders, setting up a dedicated migration steering committee and implementing a strong project management framework. These measures would have helped to maintain control over the migration process, ensuring that project timelines were met, vendor performance was monitored and potential issues were addressed promptly.
#3. Poor Platform Readiness
Another key issue was the insufficient testing and validation of the new platform’s readiness for operation. A rigorous objective, evidenced-based assessment of the platform’s functionality, scalability and resilience would have identified any gaps or deficiencies that needed to be addressed before the migration took place. Unfortunately, this critical step was overlooked, leading to a poorly executed migration and subsequent operational issues.
- Why it is important: Ensuring the readiness of a new platform is crucial for a successful migration. A platform that has not been adequately tested, validated, and verified for functionality, scalability and resilience is likely to encounter issues during the migration process, resulting in disruptions to business operations and customer experience.
- What could have been done differently: Before the migration, the CIO could have conducted a comprehensive assessment of the new platform’s readiness, including functionality, scalability and resilience testing. This would have involved collaborating with vendors and experts to identify any gaps or deficiencies in the platform and address them before the migration took place. A rigorous readiness assessment would have reduced the likelihood of issues arising during the migration and ensured a smoother transition to the new platform.
#4. Inadequate Operational Resilience
Especially within the financial services sector, operational resilience is of the utmost importance. The bank’s failure to prioritise and enhance operational resilience throughout the migration process resulted in service disruptions that had significant adverse effects on its customers and the stability of the UK financial system. Establishing contingency plans, conducting regular risk assessments and implementing measures to minimise the impact of service disruptions would have better prepared the bank for a successful migration.
- Why this is important: Operational resilience is vital for maintaining business continuity and minimising the impact of service disruptions. In the financial services sector, where stability and trust are paramount, a lack of operational resilience can have severe consequences on the organisation’s reputation, customer satisfaction, and the overall stability of the financial system. Establishing a robust operational resilience framework can help organisations effectively manage and recover from disruptions, thereby ensuring a successful migration and ongoing business continuity.
- What could have been done differently: The CIO could have prioritised operational resilience throughout the migration process by developing contingency plans, conducting regular risk assessments and implementing measures to minimise the impact of service disruptions. This would have better prepared the bank for the migration, ensuring that they could effectively manage and recover from any disruptions while maintaining business continuity and customer trust.
The TSB migration crisis serves as a stark reminder of the personal liability risks that CIOs in the financial services sector may face. The case highlights the importance of thorough, independent, objective and evidence-based risk assessments, strong governance, platform readiness and operational resilience in ensuring a successful migration.
By proactively addressing these critical aspects, CIOs can mitigate potential issues and safeguard both themselves and their organisations from significant disruptions and financial losses. Additionally, engaging with professional services firms that specialise in complex migration projects can provide invaluable guidance and support. CIOs must recognise the potential consequences of overlooking these factors and prioritise preparedness and resilience in their migration strategies to protect their organisations, customers and themselves, from liability.
Want to avoid this kind of personal exposure? Click here.