I’ve previously worked with several software businesses and even been a Non-Exec Director in that space. I’m not a technical person, my input and value has been more strategic, commercial and governance related.
It is with that back ground that I am making the following observations about the recent TSB systems migration debacle. Whilst on the face of it responsibility for this mess and the initial migration failings sits with their IT team, perhaps the people who’ve really failed the bank and its stakeholders sit elsewhere.
If you’ve ever done the Institute of Directors’ course on being a Non-Exec (it’s very good and if you have aspirations in that direction I can recommend it) you’ll know that one of the major areas they focus on is risk. All Boards should have a Risk Register. Its purpose is to identify potential risks to the business and provide a mitigation strategy for managing and dealing with that risk. For example, many businesses now rely on off-site servers to store data or run cloud-based software. Whilst the chances of a jumbo jet landing on your data centre are quite low, something negative happening to it (a fire, a flood, an act of terrorism, a major prolonged power outage, damage to the local internet infra-structure etc) does get more likely and if it did, would have a catastrophic impact. A common mitigation to that sort of risk is to use two separate data centres with the capability to hot switch between them so that the business isn’t affected in the event of a problem; a business continuity strategy.
In very simple terms a Risk Register identifies ALL the potential risks facing the business, estimates the likelihood of that risk coming to pass and scores the impact if it does, so that the Board can take appropriate measures to mitigate the risk and have a readymade strategy in place. This process is an essential framework for any business and something we strongly recommend putting in place if it isn’t already.
A major IT systems migration posed a clear risk to the bank on many levels; an operational risk, a financial risk, a fraud risk, a reputational risk and a commercial risk. Given the level of risk involved, why when everything collapsed did the bank look so shocked and seemingly at a loss to know what to do? What Board level mitigation strategies had been put in place in the event of a problem? What testing protocols had been used beforehand? Why did they not have a Plan B ready to roll out if the migration went wrong? Why, at Board level, was nobody asking “what would happen if…?” and equally, why at Board level did no-one have a plan to remedy the situation. As a Board, it was surely foreseeable that there could be problems?
IT is complex and goes wrong – it happens. Not having a plan to deal with it shouldn’t. Ever.
For a no commitment, confidential chat about preparing yourself and your business for exit, please click here.