Partner Article

RBS/Nat West, 3 big lessons for us all

A bank has two obligations on behalf of its customers 1) to hold money securely and 2) provide customers with access to it.

In the days that followed the RBS/NatWest/Ulster Bank debacle RBS failed on the second obligation, Robert Peston (BBC News Business Editor) stated that this incident could potentially cause RBS what is known as a “prudential problem”, meaning that one incident could create a crisis in confidence that could lead to the business becoming unviable.

Once an incident happens the way in which any business responds can be absolutely crucial.

RBS is a massive organisation and it is true they have resources on hand to attempt to firstly fix the issue but also recover the business to normal operations. This incident shows all too clearly that no organisation is too big to get into trouble and if RBS can then any business can.

What all organisations have in common big, medium or small is customer obligations to ensure that sufficient advance planning is done to prevent an incident. Furthermore, a good company should accept that when things go wrong that a controlled response is activated.

So, what lessons can be drawn from this situation and applied to our own organisations?

Prevention: A good sound integrated Continuity Program that touches all departments across the business. Many companies have now invested in IT recovery services and various back-up solutions but this is not enough on its own.

Ignoring the cause of the incident at RBS for a moment, it was clear that a disconnection existed between the IT activity and the back-office function that performs manual interventions. This led to a lack of available resource to be able to process the payments manually that led to the missing payments and incorrect balances.

Outsourced Suppliers: When agreeing a contract to outsource IT, provision should be built in that ensures cross departmental sign-off for all upgrades. The steps to regress to the previous platform version should be understood, in particular the time gap between identifying an issue and rollback completion.

Appropriate contingent resources should be on stand-by. This is particularly important in a transactional business.

Communication: External and internal messages should be ready in advance as part of an Incident Management Plan. RBS did well in most aspects of this with both the Director of Customer Service and then the CEO visible throughout.

Where they could have done better was explaining exactly what IT issue caused the incident. As Jack Clark @jackclark on ZNet this week, it is not good enough to operate a policy of security via obscurity as other cloud providers who operate equally complex security arrangements are quite open about faults.

In conclusion, it is important to plan in advance to prevent an incident but it is equally key to ensure all departments have the controls in place to operate during and through the recovery phase.

END

Dave Lloyd works with business sectors including Financial Services, Manufacturing, Logistics, Production and Supply. Dave specialises in protecting the profits and revenues of companies by implementing tailored programmes that are viable from a cost and benefit perspective. Dave offers more free research and analysis in his new paper entitled“10 Critical Facts to Protect Your Business“ at www.trueresilience.co.uk

This was posted in Bdaily's Members' News section by Dave Lloyd .