Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How management failings led to RBS IT catastrophe

Matthew Finnegan | Dec. 1, 2014
Was lack of IT investment to blame for the banks 2012 IT fiasco?

This was the case for its technology services division, but also for the wider group, which sets operational risk policies that IT teams are required to follow.

According to the FCA report, RBS risk management policies were "limited in scope because [the] focus was on business continuity and should have included a much greater focus on IT resilience".

The FCA claims that the technology services division's processes were inadequate, with problems including inaccurate records of changes to systems, inconsistent procedures across the division, and an incomplete view of IT risk.

This had a direct impact on the events that led to the batch processing software upgrade, the FCA said, as the department "did not sufficiently identify, understand or mitigate the risk of a batch scheduler failure".

Furthermore, measures to reduce risk of outages, and minimise subsequent effects - such as separating batch processing systems - were not addressed.

"[The technology services risk function's] culture was ineffective insofar as it was based on a past history of reacting and responding to incidents, rather than forward looking identification of risk," the report said.

In addition, there was a lack of 'substantial' experience, with over half of the technology services risk team appointed within two years of the incident.

However, the FCA also said that the wider business failed to monitor risks around IT - a function that is central to the overall running of the bank. This was partly due to a lack of IT knowledge held by group management, as well as other factors, such as incomplete audits of IT, including mainframe systems in the preceding 12 months. The responsibility for management of risks also fell to the board, which did not properly review group-wide governance policy measures.

Such policies were "limited in scope" because they "addressed recovering from a single low probability but high impact event" such as the total loss of a data centre, rather than smaller but more probable disruptions like software failure.

The aftermath
Following the outage, regulators in the UK and Ireland began investigations into the issue, with the Central Bank of Ireland fining Ulster Bank last weekfor failing to ensure stability of infrastructure, which had been outsourced to RBS in 2005. The FCA also subsequently launched a wider investigation into robustness of IT systems used by all UK banks.

Meanwhile, RBS CEO Ross McEwan pledged to invest £750 million over three years to improve resilience of its systems. This included remedial action to simplify its legacy estate and attempt to prevent further occurrences. For example, it completed the separation of its batch processing systems for individual banks within the group in May, meaning that outages will not have the ripple effect on other arms of its business in future.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.