Resilient Applications in Financial Services
On July 16th, the City Business Club held an event at the Metro Bank London headquarters following a survey they had circulated. What became obvious after analysing the results of this survey was that most businesses care deeply about application resilience but few actually have policies in place to address issues linked to lack of application resilience, and to deal with their consequences.
We were honoured to be invited to speak at this event, alongside speakers from Expert Witness and ISITC, and to engage in conversations about application resilience with experts from all areas of financial services.
Here is a summary of what was covered on the day:
Martin York – Founder of City Business Club
Martin introduced the work done by the City Business Club a not-for-profit organisation which helps business grow in London. Martin presented the results of a CBC Application Resiliency survey of over 100 financial services businesses.
- 100% concerned about major application failure
- 60% had a corporate policy (no one was concerned about regulatory impact)
- 60% said reputation was the most important impact, 25% said it was revenue impact
- 60% said application resiliency was specified in governance policies, 20% said service levels and 20% said no policies
- 60% said application resiliency resided with IT, 20% with business unit 20% said it was partly automated. No one said it resided with the board
- 60% tested continuously 20% annually and 20% sub annually
- 80% said they could improve selectively 20% said across the board
- 80% said MTBF was the measure 20% had no metrics
Charles Brewer – Expert Witness to the courts
Charles talked about his experience as an expert witness on IT failure in court cases. He highlighted the seriousness of a case he’d been involved in that hinged on changes to a database where the defendant faced 10 years in prison and a fine. He also gave several examples of IT disasters including TSB, British Airways and Boeing which caused loss of value and reputational damage.
Application failures can be slow or fast and obvious or hidden. For example a Microsoft Voice to Text was Obvious and Fast whereas as the Boeing 737MAX software issues were Hidden and Fast. Of course, life often imitates art and Charles pointed to the fictional example of the BBC programme W1A where the Sympatico subtitles learned its mistakes and could not be turned off.
In his view hardware and network failures are well understood, and can be avoided. However application failure is more nebulous, and harder to understand but is, in many cases more likely to cause financial, reputational and commercial damage than any other form of systems failure.
Rob Scott – CEO ISITC Europe and Managing Director at Commerzbank
Rob gave an industry perspective on the impact of digital innovations on financial services including Artificial Intelligence, Clouds and Open APIs. He also talked about Cyber attacks and said that in recent times a significantly increasing number of high profile IT failures have occurred across industries which is putting a lens and spotlight from regulatory and supervisory bodies.
For example the UK FCA has pointed to vast inconsistencies in the manner firms generally positively self-evaluate change mgt surrounding IT landscapes to the reality that change Mgt was the leading root cause of IT disruption. The UK FCA plans further work to assess firm’s current approaches.
Rob suggested that the key areas of focus should be not only set-up, operational resilient environments but also stressed the importance of people and education to reinforce effectiveness. He noted that the average age of a core banking application was 35-37 years and this was supported by a workforce average 56-57 years old. He also noted that people who understood end to end process works are very scarce and that this should be a matter for the top of organisations.
Rob said he expected the winners will be agile players who can adapt quickly in (m)any environment(s) while slow traditional players with a lot of legacy and bureaucracy would likely be losers.
Aled Sage – VP Engineering at Cloudsoft
Aled talked on Business Application Resilience: Challenges & Good Practice. He compared and contrasted disruptor companies noting that Google’s involvement in Libra illustrated that tech giants could themselves disrupt financial services. Contrasting the disruptors being typically ebing cloud-native and extremely agile with incumbents who have hybrid environments, are less agile but crucialy have legacy applications that are really valuable he counselled focusing on the basics by improving resiliency and agility of existing apps as well as fitting with old-world and the future.
Aled talked about a tier-1 investment bank Cloudsoft work with that is taking an application-centric approach to resiliency. The bank is involving the application architects, and letting them specify the recovery policies that are right for that application. They are also using tools and a consistent approach for specifying these policies in code - so it can be automated and tested. This addressed previous manual processes, bespoke process, fragmentation and challenges in testing applications.
Aled touched on the role of self-managing or autonomic systems including Cloudsoft AMP in streamlining development, operations and governance for any application on any cloud. He also have a set of suggested next steps to improve application resiliency.