Recent high profile failures in digital transformation projects have highlighted the possible financial, reputational & operational repercussions when things go wrong.
Regulatory fines are not uncommon, especially where customers are impacted.
As many firms look to move away from legacy systems, here are some tips to avoid distressed IT projects:
Due Diligence: Issue: some IT platforms are new to the UK financial services market so may offer great functionality, but are not yet configured and adapted for specific sectors. This can mean there is no certainty that the IT vendor has the capability to deliver and operate the platform in a highly regulated environment.
Mitigation: It is critical that firms engaging in complex IT programmes carry out adequate due diligence, including the tech vendor's capabilities and whether the proposed solution reflects its requirements. Firms need to ensure they have adequate resources and time planned into the programme for this crucial stage.
Fourth Parties: Issue: as IT solutions become more complex, there is an increasing reliance on third party infrastructure and third party vendors. Whilst the prime vendor often agrees to remain contractually responsible for its subcontractors, that does not guarantee the adequacy of that vendor's supplier management processes and procedures.
Mitigation: Firms need adequate visibility over who is providing the solution and the risks posed. This includes ensuring robust vendor testing, monitoring and controls and that hard-fought contractual provisions are flowed down. Failures often occur further down the supply chain so firms should consider investing in more extensive due diligence and active monitoring of fourth parties.
Planning & Design: Issue: As many organisations want to move at pace in an agile manner, it is tempting to proceed with projects without sufficient documentation. The lack of comprehensive design documents, for example, can lead to challenges with verifying that infrastructure is aligned to expectations and requirements.
Mitigation: A complex migration from legacy infrastructure needs significant planning & scoping; particularly when involving complex core banking solutions which have often been highly customised over a long period of time. It is paramount that planning and design documents are included in the contract, as leaving them "to be agreed" can result in little contractual protection around timescales & solution outcome if documentation is not adequately finalised.
Testing: Issue: again, in order to save time, it can be tempting to reduce the scope of testing (for example scaling down testing of certain non-functional requirements). Without proper testing, problems can be missed that later cause issues following go-live.
Mitigation: This highlights the importance of a rigorous testing regime. Firms should ensure adequate focus is given to testing, including upfront planning, testing mechanisms in the contract and adequate time and resource.
Business Continuity: Issue: at the outset of a project no one wants to consider the worst case scenario of implementation failure, and therefore there is often no adequate "plan B". Insufficient contingency planning can lead to extensive disruption for a prolonged period of time. The failure of one system can also led to problems with other systems that are not designed to take the strain and have never been stressed tested.
Mitigation: It is crucial that firms have appropriate contingency plans to prepare for disruption, with clear detail around what will be done, including its strategy for communications and complaints handling. Firms should also engage with providers upfront to ensure adequate contractual provisions relating to implementation, updating and testing of contingency plans.
Seeking to build in greater operational resilience can cause tension with certain programme objectives, with project teams often under pressure to move at pace and many teams adopting an "agile" delivery model which can shift more risk onto the customer.
However, there is more focus on regulatory requirements, operational resilience and critical third parties and the willingness of the regulators to issue fines are a timely reminder of the importance of ensuring there is adequate governance, time and resources for due diligence, planning, testing & monitoring.
If you are embarking on a digital transformation project we can help you navigate the risks up front. Please contact a member of our Tech Group.