Tech & Sourcing @ Morgan Lewis


The UK Financial Conduct Authority (FCA) has published its findings on an extensive review into the factors which determine failure or success when implementing technology change in the financial services sector.

The review looked at how financial sector companies manage technology change, the impact of change failures, and the practices utilized within the sector to help reduce the impact of incidents resulting from change management.

The analysis found that change-related incidents are consistently one of the top causes of failure and operational disruption, with 17% of “material” incidents reported to the FCA in 2019 attributed to change failures.

Although the focus of the review was on UK companies, its findings should be of interest to any business that relies on third-party technology providers and is seeking to improve the operational resiliency of its technology change management process.

Output of the Review

The analysis highlighted five practices identified as contributing to change success:

  1. Having more robust and well-established governance arrangements
  2. Having a lower proportion of legacy technology (being an existing infrastructure or software)
  3. Dedicating a large proportion of their IT budget to change activities
  4. Deploying smaller and more frequent releases, particularly those made through an agile delivery model
  5. Engaging in effective day-to-day risk management

Conversely, the report also recognizes four practices identified as contributing to change failure:

  1. Lack of visibility of third-party changes
  2. Having change management processes which are heavily reliant on manual review and actions
  3. Having a higher proportion of legacy technology
  4. Undertaking changes considered to be “major” by the firm

Preparing for Change Success

There are a number of processes and methodologies that companies can entrench into their business and their relationships with technology suppliers which will deliver change success:

  1. Establishing comprehensive governance arrangements and effective risk management procedures and seeking contractual commitment from technology partners to participate in the same. This requires better utilization of Change Advisory Boards and a more thorough approach to risk review, as the report established that CABs approved over 90% of the “major” changes reported to the FCA in 2019.
  2. Setting out clearly defined change management processes and automating the process of approving smaller operational changes. The report revealed that most firms deployed changes to their core systems between once a month and once a quarter. Automation of repeated changes could improve operational efficiency and reduce the risk of human error in deploying change.
  3. Developing and implementing an agile methodology for delivery of change, and implementing frequent, smaller releases to reduce the impact of change failure incidents.
  4. Transitioning out legacy technology and building a modern, digital infrastructure, in order to take advantage of the most up-to-date technologies available, such as the public cloud, and reducing the risk of legacy IT faults contributing to change failure – although it is noted that migrating away from legacy technology infrastructure and software has its own risks.
  5. Requiring supplier contracts with third parties to include obligations to notify of changes. Most arrangements involve a degree of dependency on software products provided by third parties. In some circumstances, third parties deploy changes to these products without communicating these changes, making it difficult to track those changes. If the changes are notified and logged, this reduces some of the complexity in the business model.

Operational Resilience

Although the focus of the report was on implementing technology change in financial services firms, the output provides specifics on how technology change can affect operational resiliency.

Operational resiliency is a key issue in the financial services sector. The Bank of England, the Prudential Regulation Authority (PRA), and the FCA have prioritized stronger regulatory framework to promote operational resilience of firms and financial market infrastructures.

European Banking Association (EBA) Outsourcing Guidelines, which will be mandatory for all (including existing) material outsourcing arrangements in Europe and United Kingdom from December 31, 2021 introduced key contractual requirements to increase resiliency in outsourcing arrangements.

The European Insurance and Occupational Pension Authority (EIOPA) guidelines on outsourcing to cloud service providers also provides guidance on how firms in the insurance and pensions sectors can manage operational resiliency. Although the EIOPA guidelines are not applicable to regulated activities in the United Kingdom, from January 1, 2021 these apply to businesses operating within Europe and their new and existing cloud outsourcing contracts.