Did poorly-functioning IT systems contribute to the recent
financial crisis? We must ask the question: was the
Basel II regulatory
framework properly implemented in banks' IT systems? That set
of regulations was supposed to provide improved information on
exposure to risk.
To ensure regulation is implemented properly in the future, why
not have an "IT development" set of "building regulations"? These
regulations would be monitored externally, by approved inspectors,
possibly provided by the BCS or other organisations, on behalf of
the Financial Services Authority (FSA). Self-regulation clearly has
not worked.
Building regulations set standards for the design and
construction of buildings. Firstly, you have to apply for planning
permission, which is a lengthy process. Most people, however,
understand that such regulations are there to protect us all. With
every stage of the build you have to have site inspections. The
building regulations ensure the works meet the relevant technical
requirements, such as ensuring there are proper foundations.
IT developments are potentially very risky. They could cause
financial loss in a company, cause instability, damage the
reputation of customer and financial services in the UK, endanger
investments and jobs, or cause information security breaches. Such
developments, it could be argued, should be subject to external
scrutiny.
It is true, however, that the government's policing of its own
IT projects has not been very good so far. This discrepancy will,
somehow, have to be improved to protect us all. This is because
internal, "self-policing", within commercial organisations is
obviously not working. Some quality functions within such
organisations are genuinely trying to promote good practice.
However, this is rare, in my experience. "Bogus" quality functions
predominate in most organisations. These functions are subordinate
to development and they compromise quality to enable systems to go
live. The tester's work is compromised and any defects raised are
closed down by the management regardless of the risk.
Perhaps in future any major development, such as a new customer
billing system for a significantly sized company, would come under
the radar of the FSA. It would require FSA certification before
live running, using live customer data. To run such a system in a
live environment without FSA certification would be illegal and
would result in heavy fines.
The stages would be:
- Register the development with the FSA with timescales and
details (eg, business justification).
- FSA would then request requirements and system design
specifications and project plans, assess them, and then do a site
inspection, which would allow a degree of control over any
unjustified "offshoring" of work.
- Once given the go-ahead, the development could commence and it
would be monitored stage by stage.
- When the system was ready to go into test the FSA would have to
be notified of any faults and given progress reports. They would
have the power to do a site visit and it would be able to impose
fines if any defect information was withheld.
- During User Acceptance Testing (UAT), the FSA would have to be
notified of any significant defects.
- The final certification for live running could only be given by
the FSA.
Obviously, the company could try to pull the wool over the eyes
of the FSA. However, the FSA would have visibility of what was
going on, and it would be a good discipline for the organisation to
know that by withholding or falsifying information it could suffer
a heavy fine.
Do you think this idea is far-fetched? In the US, the Senate has
recently proposed a bill to control IT failures. The bill would
amend federal law regarding the oversight of project planning for
IT systems. This is a highly significant development. It represents
a state-of-the-art effort to control IT failures, and we would
benefit from something similar over here. Look, for example, at the
UK's multi-billion pound health service IT project, which,
according to the BCS, needs a fundamental rethink.
Tim Hunter is an IT Consultant for Yorview and a BCS
member