- By Henry Umney, CEO, ClusterSeven
Enhancing the robustness of the UK financial sector is a major priority for the Bank of England (BoE) in the current environment. Its response – the Operational Resilience (OpRes) initiative – which demands that financial institutions clearly demonstrate that they understand their risk exposure, alongside their ability to proactively deal with and even pre-empt potential disruptions to their business. The BoE describes a resilient financial system as one that can ‘absorb shocks rather than contribute to them.’
These disruptions can include anything from physical fires, flooding, power interruption, data quality issues to Black Swan events such as 9/11 and a Brexit ‘crash out’ through to IT outages, failed technology restructuring (e.g. The TSB and Lloyds demerger) and even ‘fat finger’ issues – the list is endless.
In all these scenarios, Shadow IT – i.e. non-IT supported applications, often spreadsheets – that can feature in a range of business processes, including management and regulatory reporting, portfolio management, risk management, as well as product management – can threaten financial institutions’ Operational Resilience programmes, given how ubiquitous Shadow IT applications typically are.
To illustrate, here are some real-life scenarios:
Fire & flooding: A fire or flood at an end user or server site, could cause an outage to a business-critical process, if a machine is directly impacted. While those affected will likely have backup and recovery processes in place, the disruption to the business will depend on the severity of the situation. With business-critical processes typically residing in a combination of maintained enterprise IT systems and Shadow IT applications, can the financial institution be sure that the recovered business process holds the right data in the right place to recover the business? What will the business impact of any lost data be?
Power outages: These can come in different forms – either within the business or due to an interruption to an external power source. Each situation would potentially affect different applications in different ways, and with differing impacts on the business. Again, with business services and processes residing is a variety of Shadow IT environments, identifying and recovering the right data can be fraught with difficulty, with plenty of scope for lost data, given that organisations do not necessarily back-up their data in real time.
Fat finger: Inputting errors owing to a ‘fat finger’ problem are not unusual, especially in Excel-based applications, where errors are hard to detect once saved. This has scope to propagate errors across the business very quickly, without anyone being aware, and with no audit trail as to how it was caused. This lack of visibility has scope to throw up a host of reputational, commercial and compliance issues around the Senior Managers & Certification Regime (SM&CR) and other Board-level governance requirements.
Data issues: While great care and attention is taken over data management – importing, cleansing and managing it effectively – its ability to propagate quickly across the organisation is unsurpassed. Where errors feature in new data – for example pricing information or FX rates – it has the potential to very quickly cause mis-pricing issues across multiple product sets and business units, which can undermine decision making, cause a range of automated transactions at the wrong price, undermine customer confidence and relationships, as well as cause a host of regulatory issues. Again, Shadow IT applications, which often feature in data import processes, can lack the controls necessary under OpRes to assure the resilience the initiative requires.
IT outages: Perhaps contrary to perception, IT environments at financial institutions are highly dynamic, utilising ‘just in time’ code updates and bug fixes, on a weekly and even daily basis to support the business. Extensive effort goes into developing, testing and deploying such changes. Of course, not all code updates and bug fixes always go smoothly with problems cropping up at the most inconvenient moments. While back-ups and recovery processes will be place, again the issue for institutions will centre on maintaining the business service and assuring the validity of the recovered results. Where Shadow IT applications feature in these changes – perhaps as tools and calculators that feed core business models – back-up and recovery processes are typically not in place and these outages can break applications links and data flows, that in turn can interrupt essential business processes.
Financial institutions have traditional IT and business processes in place in response to Operational Resilience demands from regulators. The recovery frameworks of these well maintained and managed IT processes are also understood. Where Operational Resilience is threatened is when the two disciplines – i.e. enterprise IT and Shadow IT are connected – as they rarely share the same levels of controls and as such all the hard work put into ensuring the resilience of enterprise IT can be undermined by failures in shadow IT.
Automating Shadow IT maintenance and management provides the same principles of management control that are found in enterprise applications, while ensuring users can still enjoy the flexibility that users value in Shadow IT. It allows organisations to meet their obligations under OpRes, alongside many other regulatory and commercial obligations where Shadow IT prevails.
About the author
Henry Umney is CEO of ClusterSeven. He joined the company in 2006 and for over 10 years was responsible for the commercial operations of ClusterSeven, overseeing globally all Sales and Client activity as well as Partner engagements and in July 2017, he was appointed. He brings over 20 years’ experience and expertise from the financial service and technology sectors. Prior to ClusterSeven, he held the position of Sales Director in Microgen, London and various sales management positions in AFA Systems and ICAP, both in the UK and Asia.