Summary and implications

The dependence of modern businesses on IT systems and the far-reaching consequences of IT failure were illustrated with dramatic effect by the system crash suffered by RBS in 2012.

A malfunction in a technology upgrade led to a backlog of 100 million unprocessed payments across RBS, NatWest and Ulster Bank. This had a direct impact on customers who were unable to access their accounts and an indirect but nonetheless significant impact on many businesses and individuals who were not customers. It is believed that 10 per cent of the UK population was affected by the crash one way or another.

It has been reported that RBS paid compensation in the order of £70m to those affected. This was compounded last month by fines imposed by the Financial Conduct Authority and the Prudential Regulatory Authority totalling £56m.

The financial services industry is very heavily regulated and businesses in most other sectors would not be faced with such hefty fines on top of compensation payments. However, most businesses will recognise that they are heavily dependent on their IT systems and IT failure could lead to significant operational losses and reputational damage. The cost of constantly replacing IT systems may be prohibitive, but there are steps which businesses can take to minimise the risk of IT failure and mitigate any damage which may be caused.  

  • IT systems should be kept up to date with the latest software patches and upgraded as soon as practicable.
  • Particular care should be taken when new systems are integrated with existing systems, especially if the existing systems are based on outdated technology.
  • All data should be backed up on a regular basis, making recovery from a system failure more straightforward, minimising business interruption and potentially eliminating the risk of incurring costs of compensation to customers.
  • Effective risk management policies should be in place to ensure customer data and other business sensitive data is protected. Recent cyber attacks on US banks and other businesses have put the financial and reputational implications of a loss of customer data clearly in the spotlight. A cyber attack is, of course, very different to a system failure, but robust risk management procedures and effective data structuring can minimise the risk of both.
  • The risk management procedures should include processes which will enable the business to deal rapidly and effectively with the consequences of IT failure. These policies will depend very much on the nature and scale of the business. In many cases they can be very streamlined and straightforward. For larger organisations it may be appropriate to have in place a rapid response team comprising representatives from senior management, day-to-day users of IT systems and those who support them, lawyers and potentially PR agents who will be able to assist in managing the adverse publicity that a high-profile IT failure could generate.
  • The policies and procedures should be reviewed periodically to ensure that they continue to respond to the needs of the business.

RBS is confident that there will not be a repeat of the incident. It has committed to investing an additional £750m to strengthen its IT systems and has changed its working practices to ease the strain on its systems and reduce the possibility of another failure.

For RBS the system crash of 2012 was a lesson learned the hard way. For other businesses, it could serve as a wake-up call to put safeguards in place to prevent something similar happening to them.

If you would like assistance in developing your IT risk management policies or managing the consequences of an IT failure, please let us know. We will be happy to help.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.