An FCA report evaluates the chequered implementation of technology change and identifies risks and best practices to help firms better navigate this change.
Of the nearly 1,000 “material incidents” reported to the UK’s Financial Conduct Authority (FCA) in 2019, 17% were caused by change-related activity. It was against this backdrop that, on 5 February 2021, the FCA set out the findings of its review entitled Implementing Technology Change regarding the execution of technology change within the financial services sector (the Report). While the Report focuses on the UK, its findings apply equally to financial services organisations implementing technology change across all geographies.
The Report evaluates the ways in which regulated firms implement technology change and aims to advance the discussion as to how firms can reduce the frequency and severity of change-related disruption. Acknowledging that technology change is driven by a wide range of considerations — from operational efficiencies to complex regulatory developments, such as MiFID II — the FCA analysed over 1 million production changes implemented by a sample of firms over a one-year period. The FCA then supplemented this dataset with questionnaires, industry workshops, and other sources. The resulting Report identifies a number of factors that contribute to the success — or failure — of technology change.
Key Risk Factors
The FCA found that the single most consistent threat to successful technology change implementation was dependence on other projects. The Report cites coordinating workstreams and executing multiple tasks simultaneously as key challenges in this context. Partly due to similar considerations, the Report also notes that third-party involvement can be a major contributing factor to change failure. Eighteen percent of all incidents reported to the FCA in 2019 were caused by third parties, with 22% of those incidents due to third party technology change activity, according to the Report. Worryingly, the Report highlights a lack of oversight of third-party performance as a concern in this regard, with the majority of firms failing to track third party technology change activity effectively.
Predictably, the FCA found that reliance on legacy technology was linked to a lower change success rate. The prevalence of such infrastructure — which is often outdated and heavily patched — correlated to an increased need for “emergency” technology changes and a greater likelihood that those changes would be unsuccessful. In this context, the Report provides a helpful overview of the status of firms’ transition away from legacy technology stacks. Over 90% of firms still depend on legacy infrastructure for live service, while cloud solutions are used to host just 17% of live applications, according to the Report. While the FCA noted the benefits of cloud architecture and public cloud technology — such as increased automation and therefore fewer manual errors that could potentially lead to change incidents — it also acknowledged the challenges firms face in migrating away from legacy infrastructure and the fact that a number of highly publicised incidents have been linked to firms attempting to make this transition.
Clearly, not all technology changes carry the same degree of risk, with some requiring greater scrutiny than others. In this sense, the FCA found that “major” (i.e., high-risk or high-impact) technology changes were twice as likely to result in failure than “standard” technology changes. Workshop participants highlighted complexity as a factor in this. However, the Report suggests that governance failures may be partially to blame and places the performance of change approval boards (or their equivalent) under particular scrutiny, observing that some went a full year without rejecting a single major change.
Key Success Factors
Alongside risk factors, the Report identifies a number of considerations that can increase the likelihood that technology change will be implemented successfully. For example, firms with stable technology governance arrangements were found to experience a higher change success rate (specifically, where those arrangements had been in place for more than one year).
Choice of project management methodology can also play a part in the likelihood of technology change success, according to the Report. Firms that demonstrated a greater adoption of “agile” methodologies were less likely to suffer technology change-related incidents. When asked for commentary, workshop respondents highlighted the ability to administer changes in smaller batches — something agile methodologies are designed to enable — as being an important success factor. Interestingly, the Report appears to support this conclusion, identifying a correlation between regular, higher volume technology change activity and a greater success rate. The fact that higher change frequency was in turn linked to greater adoption of the public cloud and a lesser reliance on legacy technology, underlines a key theme throughout the Report — ultimately, a number of change success factors are interlinked.
At first glance, many of the Report’s findings will not come as a surprise to firms or other industry participants, including the potential for factors such as the adoption of public cloud solutions and agile project management methodologies to contribute to successful technology change implementation. However, many participants are likely to be encouraged by the FCA’s recognition of the benefits of transitioning to these more modern approaches to technology infrastructure and management (including change management).
While the purpose of the Report was to contribute to the wider discussion on implementing change, firms are advised to pay close attention to the conclusions drawn out in the FCA’s analysis and to assess whether or not their existing approaches and strategies require updating. Similarly, firms should factor in the outputs of the Report when contracting for new services with third-party providers to ensure that appropriate mechanisms and processes are built into the relationship from the outset. For example:
- Building in clear rights to oversee third-party technology change activity — as well as appropriate governance forums with the necessary remits and levels of expertise — can help firms to identify risks and issues at an early stage, before they materialise in the form of failed changes.
- Providing for different categories of change (e.g., minor technical changes versus major system updates) to be agreed and governed in different ways can enable firms to focus oversight on high-risk changes without unduly inhibiting low-level operational activity.
These are just a few examples of the range of considerations that should be at the forefront of minds when firms are contracting for IT services, in light of the risks and challenges associated with the implementation of technology change (and the significant costs of failure).
This post was prepared with the assistance of Nara Yoo in the London office of Latham & Watkins.