We need a Bank IT Stress Test, and we need it now

This summer will be remembered for a number of things: the London 2012 Olympics surely. A Brit winning the Tour de France, if you’re so inclined. And the first time widespread banking IT outages gained national prominence. And just like climate change scientists will tell you there will be more rain and more often, I’m here to tell you that there will be more banking IT outages and more often.

Why? I hear you ask. Glad you did. Let me try and explain. The average bank’s IT can best be seen as a series of what can charitably be described as sheds built on quicksand. These sheds were made from available materials; which means that some of the sheds are built using 1960’s technology. Some of the sheds (the later sheds) were made from prefab standardised components. And some of the sheds are built using cutting edge not-yet-proven technology. (Let’s call those the marketing sheds). And of course, there is an intricate system of hallways, doorways and trapdoors, to connect all the sheds in an infinite number of ways. This way, whenever a door or hallway is blocked, there is a possibility of getting to another shed, you just don’t know how.

So how did this come about, and what are we going to do about it?

The reason this all happened is pretty simple: no management attention. Early on, “automation” was a logical follow-up to using calculators and tabulating machines. They merely sped up an existing process. By the time it became clear that IT is a disruptive force, the sheds were firmly sinking in the quicksand. Anyone with any ambition as a manager within a large bank quickly realised this and decided to run for the marketing or the investment side of the bank.

What are we going to do about it? The first step towards any solution is admitting you have a problem. Even in the light of overwhelming evidence to the contrary, most boards of banks still feel IT is a non-core activity. The only thing the board seems interested in is IT cost, which should be lower.

Clearly, there is a role here for the oversight bodies. Indeed, the Bank of England published a “Principles of Oversight – Payment Systems” that list all the risks that banks need to manage. It also states that banks need to adhere to these principles all by themselves, and that no active oversight will be performed.

I say the Bank of England needs to call for a Bank IT Stress Test. This will put IT firmly on the agenda of the board, and will tell clients and the government alike what state the sheds on the quicksand are in. And by repeating this process yearly the banks can not only admit they have a problem, but actually work toward a solution.

And this is not hard. I’ve drafted a list of sample questions that the BoE is free to use:

– How much did you spend in the last 12 months on IT?

– How much of that spend was on systems under your control?

– Of the systems not under your control, what are the performance guarantees given by your supplier?

– Please supply an audit log of the last month showing this performance.

– Of the systems under your control, what are the internal performance requirements?

– Please supply an audit log of the last month showing this performance.

I’m sure you get the idea. Surely, these are questions any board should be able to answer? And surely, the public has a right to know. After all we did to save the banks, making sure their operation is in order is the least they can do for us.

About the author:

Tobias Kuipers, CTO, Software Improvement Group

Image credit:Flickr Chattygirl

Read the CIO Profile of Anthony Watson, Barclays IT leader, technology focused & CIO Summit speaker