by George Nott

How operational resilience helped RBA survive a siege: CIO Sarv Girn

Oct 27, 2016
Financial Services IndustryInnovationIT Management

When lone gunman Man Haron Monis entered the Lindt cafe holding a sawn off pump action shotgun in 2014, Sydney’s Martin Place, the ‘civic heart’ of the city, was plunged into a state of chaos and fear.

It didn’t take long for news to reach the Reserve Bank of Australia (RBA), situated just metres away. The risk of a bomb or stray bullets felt very real. But the centrepiece of Australia’s economy couldn’t simply shut down and duck for cover. If there was ever a true test of the resilience CIO Sarv Girn had built into the central bank’s IT systems, this was it.

“For some, a focus on operational maturity and resilience may seem boring, basic and business as usual,” he told the audience at the Gartner Symposium on the Gold Coast yesterday.

“Operational resilience didn’t seem so boring that day.”

Last minute

Resilience is one of three imperatives – along with delivering business change and transformation and innovation – that Girn and his team at the RBA abide by. Imperatives which are driving them towards “being one of the leading IT teams in the central banking community”.

This resilience, he said, is vital and not to be left to “last minute attention”.

It is actively tested, the former Westpac Banking Group CTO explained, with a twice yearly exercise during which RBA is run out of its second datacentre in the Sydney suburbs. This secondary datacentre sits on the ground floor of the bank’s Business Resumption Site (BRS) in Bella Vista. There is also a quarterly rotation of systems across the dual sites and the processing of critical systems can be switched between the two.

“This proved its worth during the Lindt Caf? Siege which took place a few metres from the Bank’s building,” Girn explained. “Within minutes of the incident we switched our platforms to operate out of our second datacentre. The next day the bank’s business operations all took place out of the second site whilst Martin Place was cordoned off to the public.”

With critical operations switched to the BRS, there was a virtually unbroken service of ‘real time’ interbank settlement, market operations and banking.

“This operational maturity doesn’t happen overnight,” Girn said, “and like a sportsperson, who has to build up speed and endurance through many years of training and strength work, the CIO must lay this groundwork to be match-fit.”

That groundwork begins with a clear “understanding [of] the organisation’s risk appetite statement”, Girn said, which in the bank’s case was “appropriate to the platforms we provide to support the economy”.

What is measured is managed

Girn’s team put a lot of weight on metrics, he said. They follow the adage that what is measured is managed. Metrics help them to “measure risk, progress and make appropriate business decisions”.

The volume of change made in production environments, for example, is correlated against metrics that measure stability and capacity of the operating environment. While production environment changes had risen by 25 per cent in the last few years, Girn said these were appropriate “within context of our risk appetite”.

Service quality is also closely measured, in particular the Net Promoter Score (NPS) for RBA’s internal service desk.

A barrage of scans

Some 70 per cent of the emails RBA receive are malicious in nature, Girn revealed. The bank’s external perimeter is faced with a “barrage” of scans and probes to the tune of a probe every two seconds. Metrics also matter in cyber security too, which is an “inherent dimension of operational resilience”.

“It can be tempting to use the many industry surveys to depict the risks and threats in your own environment,” Girn said. “This is not often wise. Knowing the heartbeat of your own environment and how it prevents, detects, and responds is a far healthier option in the race towards cyber resilience.”

This security posture is backed with fortnightly security intelligence calls with a number of central banks and a biannual gathering of the CIOs of east Asian central banks, Girn said.

Keep on running

With resilience realised, organisations are “fit to run” and then meet the demand to “reimagine and renew”, Girn said.

To keep a handle on the potential “sea of projects” happening at any one time, RBA focuses on the top 20 most strategically important ones with regular reports to track progress. They called it their ‘Enterprise Master Schedule’.

However “often a smaller project can trip over a larger one, especially when inter-dependencies are misunderstood”, Girn said. Independent internal teams conduct quality certifications on live projects and more than 80 per cent of the advice is adopted by projects in the initiate, design and deliver phases. Girn explained: “It’s no good getting independent advice, if this is ignored and filed away.”

Blockchain beyond discussion

The third imperative – a focus on innovation or ‘renewal’ – was no longer just a nice to have, Girn said. One approach RBA uses is by running codefests.

“This involves idea generation, an eight-hour coding challenge, demonstrations to prove concepts, a business-judging panel, and winners and ideas being sponsored to the production world,” he said.

Last year, the winning entry implemented a capability for simultaneously communicating trade confirmations to counterparties. More recently programmers were set to work on developing a “compelling demonstration” of Blockchain concepts which resulted in a number of viable proof-of-concepts.

“The aim was to go beyond just a discussion of the theoretical uses and actually have some working solutions to debate and discuss,” Girn said.

Pushing forward with innovation is a “case of survival in today’s changing world”, he added.

Above all, Girn said, the three R’s are about being fit-for-purpose.

“Fit-for-purpose is about consciously tailoring the approach to the ‘race’ you have been asked to run. The challenge is to be fit-for-purpose in our own journey of digital transformation,” he said. “In our case, fit-for-purpose is primarily about serving the economy and the public in a way that is supported by trust, resilience and value for money.”

George Nott travelled to Gartner Symposium as a guest of Gartner.