Operational resilience fail leads to £48.6m fine
TSB Bank in the UK has been hit with an astounding £48,650,000 fine for operational risk management and governance failures that resulted in customers losing access to bank accounts and services.
By AnsaradaMon Jan 16 2023Industry news and trends, Security and risk management, Governance Risk and Compliance
TSB's failures were related to an ambitious upgrade to the bank’s IT systems, during which all corporate and customer services data was migrated to a new platform. While the migration itself was a success, the new system was immediately plagued by technical issues, disrupting all levels of banking services – from branch and telephone to digital – and affecting the vast majority of the bank’s 5.2 million customers.
Regulators at both the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) found that TSB had failed to meet the required operational resilience standards to manage the risks associated with such a large-scale IT change management project. The bank’s ability to deliver continuity of its services was dependent on the project’s success, with no backup plan.
“The failings in this case were widespread and serious which had a real impact on the day-to-day lives of a significant proportion of TSB’s customers, including those who were vulnerable. The firm failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems,” said Mark Steward, FCA Executive Director of Enforcement and Market Oversight.
TSB’s hefty fine correlates with the harmful impact this incident had on their customers, illustrating the importance of undertaking robust scenario planning and setting impact tolerances for operational resilience. It also demonstrates that for regulators, operational resilience is no longer optional. A disaster recovery plan, ISO accreditation and yearly audits are not enough - they are the bare minimum.
The FCA’s new regulatory standards for operational resilience came into effect in March of last year, giving financial services firms three years to embed appropriate metrics and controls to measure ‘important business services’ and set ‘impact tolerances’. Compliance with these standards ensures that if a critical system fails, firms can continue to operate while minimizing the negative impact on the business and its customers.
More than just a regulatory requirement, operational resilience is an opportunity and long-term strategy for progressing on wider goals and interests, including ESG and sustainability.
The scope of operational resilience provides a comprehensive lens across the multitude of macroeconomic and systemic issues, showing organizations how they can and will perform in the case of a critical event or emergency.
Regulators at both the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) found that TSB had failed to meet the required operational resilience standards to manage the risks associated with such a large-scale IT change management project. The bank’s ability to deliver continuity of its services was dependent on the project’s success, with no backup plan.
“The failings in this case were widespread and serious which had a real impact on the day-to-day lives of a significant proportion of TSB’s customers, including those who were vulnerable. The firm failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems,” said Mark Steward, FCA Executive Director of Enforcement and Market Oversight.
Operational resilience remains a key priority for regulators
TSB’s hefty fine correlates with the harmful impact this incident had on their customers, illustrating the importance of undertaking robust scenario planning and setting impact tolerances for operational resilience. It also demonstrates that for regulators, operational resilience is no longer optional. A disaster recovery plan, ISO accreditation and yearly audits are not enough - they are the bare minimum.
The FCA’s new regulatory standards for operational resilience came into effect in March of last year, giving financial services firms three years to embed appropriate metrics and controls to measure ‘important business services’ and set ‘impact tolerances’. Compliance with these standards ensures that if a critical system fails, firms can continue to operate while minimizing the negative impact on the business and its customers.
More than just a regulatory requirement, operational resilience is an opportunity and long-term strategy for progressing on wider goals and interests, including ESG and sustainability.
The scope of operational resilience provides a comprehensive lens across the multitude of macroeconomic and systemic issues, showing organizations how they can and will perform in the case of a critical event or emergency.
Leave operational risk behind in 2023
Manage your organization’s operational resilience requirements with confidence by having the right risk management systems in place. Ansarada TriLine GRC is a purpose-built solution that allows you to identify important business services, set impact tolerances, and map all of them in a simplified dashboard view. Book a demo today and drive operational resilience within your organization.
Book a demo of Ansarada TriLine GRC
