Resources

Regulatory Oversight, PRA ‘Dear CEO’ Letters – IT Change and Outsourcing

Written by Paul O'Leary | Jan 29, 2024 11:20:00 AM

If you're a Head of Internal Audit (HOIA), Chief Risk Officer (CRO), Board member (incl. Non-executive Director), Audit and Risk Committee (ARC) Chair, or a change leader then this blog is for you.

Dear CEO letters are notes issued that are official correspondences addressed to the Chief Executive Officers (CEO) of regulated firms. The purpose of these letters is to raise awareness and highlight areas of concern regarding regulatory compliance and industry practices.

These letters set out the PRA's supervisory priorities and have historically highlighted areas such as change management and outsourcing risk management, which includes cloud-based services. This is reflective of a growing regulatory focus on how financial institutions manage risks associated with significant IT changes and their reliance on third-party service providers.

This blog summarises learnings gained from the DCR review of several high-profile change initiatives, including programmes and projects designed to deliver new core technology to customers. It includes considerations for those responsible for delivering and assuring change across the three lines of defence.

 

Our Learnings – IT Change and Outsourcing

Change isn’t easy – underestimating costs, uncovering technical debt, discovering lurking data quality issues, aligning complex change dependencies, and a shortage of talent are all common challenges that need to be overcome. Leaders must maintain the big picture and purpose, develop the culture, capability and systems needed to confidently deliver the vision and the supporting strategic objectives.

Our team see 4 inter-connected drivers of change at firms:

From the reviews undertaken by the DCR team on ‘change’ across a two-year period between January 2022 to December 2023, we identified several key learning themes and supporting considerations. We have summarised and shared these below to help inform your own approach to change delivery. These considerations should also be evaluated alongside future regulatory oversight requests.

Change Portfolio Management:

For those firms that were embarking on a relatively larger transformation (i.e. a change portfolio of several material change initiatives, with numerous projects and programmes), the portfolio was not always clearly defined and prioritised resulting in potentially excessive amounts of change being delivered, far exceeding the organisations capacity and capability for change.

For those larger firms that had invested in their change capabilities (typically with change teams of 50+ people), the governance arrangements in place to ensure the ongoing alignment of strategy, operating model and the supporting change initiatives were recently formed and still maturing. The FCA and our own team typically find that new or changed governance arrangements need at least 18 months or more to be fully effective 1.

DCR has defined seven success factors for effective change portfolio management. Our full analysis of this area has been covered here.

Future Target Operating Model:

The future IT and business operating model was not always sufficiently defined and maintained. While this should evolve over time, those that had not yet defined and agreed led to firms experiencing difficulty when making design decisions, especially where these impacted multiple areas of the firm (e.g. contact centre, branch, online, intermediaries and across different product strategies). The options could not be clearly aligned to an agreed future way of working across the firm (inc. people, process, product, data and technology).

Those firms that were successful in this area had typically defined clear roles and responsibilities at Board level for strategy, change and transformation (e.g. Chief Transformation Officer or Head of Change). They had also invested in a supporting Portfolio Steering Group which had responsibility to ensure the continued alignment of change initiatives – this enabled challenges related to strategic direction, resourcing and funding to be resolved quickly.


Foundational Change Management Controls:

Risk, assumption, issue and dependency management was often not maintained throughout the programme. Programme managers were aware of the need to do this but typically updated only prior to weekly / monthly governance reporting cycles. 

Project and programme planning techniques also struggled to identify the future resource capacity and skill requirements, lacking specific consideration of ongoing business user commitments (inc. skills and backfill), contingency planning and the ongoing integration of third-party plans and dependencies. Where agile project management was not embedded, in only a handful of cases was detailed horizon planning undertaken (e.g. a 60 to 90 day rolling view of the detailed tasks and resources needed).

There was also a lack of Quality Assurance (QA) embedded within the project / programme itself which resulted in late surprises for the team to grapple with, such as missed dependencies with other change initiatives and risks that crystallised which could have been mitigated much earlier.  

The key risks that were often not sufficiently considered and mitigated included:

  • Insufficient resource capacity and skills (inc. that of third parties);

  • Changing business strategy and priorities that may impact the programme scope and timetable (inc. new regulatory requirements and opportunistic M&A); and

  • A change framework and approach that had not yet operated as a full cycle prior to commencing the change programme, with no approach to identify learnings and adapt quickly (incl. agile working practices and new governance groups).

  • A lack of a clearly defined approach to identifying and managing risks. This meant both project, programme and operational risks on transition of the proposed solution were not surfaced quickly enough for senior managers to evaluate the impact on change delivery and overall strategic objectives e.g. creation of new and novel cyber and technology risks in production.

Those firms that were successful in this area had invested in defining their overall firm-wide change framework, as well as had provided training for team members and supported this with consistent templates, embedded QA activity and reporting automation.

The benefit of more automated change portfolio and programme reporting was that it improved efficiency, accuracy and we sensed much more trustworthiness of information that was provided to governance groups to base decisions on.

The successful firms had also commissioned an internal audit or other independent assurance review within the 18 months prior to the review – this had enabled improvements to be identified and released funding to embed the improvements needed.  


Product and Supplier Due Diligence:

Inadequate product due diligence was generally performed where Software as a Service (SaaS) or Banking as a Service (BaaS) solutions were being procured. For example, this included not fully understanding the unique differences where the chosen solution(s) had not previously been deployed within the UK or within the specific sub-sector (e.g. wealth management or building societies).  This led to delays as surprises were uncovered in areas such as meeting specific regulatory reporting requirements, as well as the successful integration with the wider solution eco-system where pre-built APIs did not exist (e.g. mortgage brokering systems and data transfer to intermediaries). 

Where the supplier or system integrator was entering the UK market for the first time, the suppliers found that it was challenging to provide effective resource to support their programme management commitments, specifically including proper support for the business analysis and the design phase. Firms had not effectively understood the supplier's own pipeline of existing commitments and future resource challenges.

The suppliers had also created new roles within the UK once the contracts were signed, however as their UK operations scaled, they maintained overseas line management which led to higher staff attrition than was optimal (lost knowledge and handover delays) and difficulties for firms to escalate and resolve delivery issues.

In some cases, firms who entered these new relationships were fully aware of the risks and had structured their contract and payment milestones appropriately, as well as had invested in dedicated roles that were responsible for partnering more closely with these third parties (e.g. integrated daily stand-ups, planning and reporting). Others needed to pivot quickly to bring more of the supporting roles in house and then work collaboratively with the supplier to re-negotiate the delivery plan and priorities.

Those firms that were successful in this area invested time to clarify their future business strategy and desired operating model, agree their risk appetite in this area at board level, understand the market options in consultation with support from a third party, as well as undertook robust due diligence and obtained references from other firms that had comparative requirements to their own (UK and International, as well as across industry sectors).


Board Oversight of Material Change and Outsourcing:

For medium to large firms, there was generally inadequate oversight and reporting of both the material change programmes and also the material outsourcing arrangements to the Board. 

Where change reporting was provided, it did not consistently provide an accurate view of what was happening on the ground, as well as it missed an informed forward-looking risk assessment. The board struggled to fulfil their responsibilities as the information being provided was regularly changing structure and had other limitations.

Board members had received training in other regulatory focus areas such as cyber security and operational resilience, however had not received training on transformation and change (in many cases this was stated as a top risk at the firm to manage). 

Those small to medium sized firms that were successful in this area had considered a non-executive director and / or board member with change experience to guide them and ensure the right questions could be asked of management. Where their experience was more diverse and gained from the non-financial services firms (e.g. retail and software / technology sectors) this had proved helpful.


Developing a Firm-wide Change Framework:

In almost all cases, firms had recognised that their overarching firm-wide change framework was not fit for purpose (typically it was not appropriately right sized for the firm and had not been tailored to the current practices used).  

Other common areas for improvement in this area included:

  • The lack of consideration of board risk appetite and missing alignment with the firm’s key risk indicator reporting.

  • An over-reliance on the day-to-day collaboration of project, programme and change staff to follow minimum change processes, implement common ways of working and agree reporting requirements. This was particularly challenging where new staff had joined the firm and had brought their own good practices from competitors or other industries (e.g. software / tech), which were then merged with the firm’s traditional / legacy practices. This resulted in a lack of consistency and outcomes delivered that were unpredictable.

  • The lack of early involvement by key stakeholders such as Legal, Compliance, Human Resources, Information Security and First Line Risk functions to help shape the change requirements and outcomes where they were key stakeholders. This resulted in delays as there was some rework of solutions needed late in the change that could have been avoided.

  • Principles and ways of working related to agile project management and software development were not defined and not consistently followed. In some cases, this led to a misunderstanding of roles by business owners and a growing disconnect between technology, security and change teams across the firm (ongoing collaboration and delivering working software should be a benefit of agile ways of working).

Those firms that were successful in this area had considered at board level the weaknesses in the change framework, and had adjusted the change portfolio to reflect the amount of change that could be delivered given the change maturity, as well as competing change and business as usual priorities.  

 

Considerations

Change is the only constant in financial services due to the rapidly evolving nature of global markets, customer expectations, regulatory environments, and technological advancements. Financial services operate in a dynamic environment where new financial products, emerging markets, and shifting regulatory demands continually reshape the industry. This constant state of flux requires firms to be agile and responsive, adapting their strategies and operations to maintain competitiveness and compliance. 

Having confidence in a firm's approach to leading and delivering change is crucial and we expect this to receive continued focus from the regulator.

A firm that demonstrates a robust and proactive approach to change is more likely to sustain growth, navigate challenges, and remain a leader in the competitive landscape of financial services.

All lines of defence (inc. change teams) will benefit from the regular review of its approach to change. This will help to inform any additional action plans that could now be put in place to reduce the risk of not delivering the firm's strategic objectives.


How can DCR help?

What makes us unique? We are Professional Services done differently.

Robust independent change advice and assurance doesn't happen by accident. Our team have extensive experience of working in both a delivery, advisory and assurance capacity across financial services in regards to all areas of IT Change and Outsourcing.

We can work collaboratively with you to plan, execute, quality assure and provide assurance over your change portfolio.

Change is inevitable and we therefore focus on building your own sustainable internal capability - we want you to measure us not just on the quality and insight of our deliverables and outcomes achieved, but also on the successful knowledge and skills transfer with your own teams.

We are passionate about building a change community and have established a quarterly roundtable where we aim to build our collective skills, experience and knowledge together. Are you responsible for leading, delivering or assuring change and would like to join our community of change professionals? Get in touch to let us know!

 

Reference: 1: FCA Publication – Implementing Technology Change (February 2021): Implementing Technology Change | FCA

 

If you are looking for additional support or guidance in this area, please visit our Change Delivery Support page or reach out to our knowledgeable team.