Following the news that RBS will set aside £125m to cover the costs of the IT failure it recently suffered, Andrew Sinclair, Head of Risk Management, Onyx Group explains that although RBS has suffered financially, it does not take into account the value of reputational damage and the loss of trust which is what happened. This incident underlines that confidence is a fragile commodity and hard to regain if lost.
RBS/NatWest today announced that it will set aside £125m to cover the costs of the IT failure it recently suffered. This adds to the £135 million hit the Group took to cover the cost of payment protection insurance (PPI) mis-selling and the £50 million charge to compensate small businesses that were mis-sold complex interest rate swaps. So there’s a small fortune being declared as the costs of failures - both IT systems failures and internal process/procedural failures. Rarely has a cost of failure been so readily declared. These pure financial losses however do not take into account the value of reputational damage and the loss of trust which has happened.
While the investigations are continuing to determine the root cause of the IT systems failures which impacted NatWest and Ulster Bank customers, initial investigations seem to be suggesting that human error was partly responsible. The error is understood to have occurred after a software update froze part of the bank’s computer systems, affecting 17 million customers. If this turns out to be the case, then perhaps it will be more understandable, if still highly unfortunate for RBS.
Although this should have been an avoidable incident - the fact that it occurred at all might be indicative of the continuing pressure on the business and the overall ‘hollowing-out’ of the skills and experience in the IT side of the business. If it is found to have occurred within the outsourced section of RBS operations, when coupled with the massive power failures within India (which although they didn’t hit the outsourcing centres of Bangalore and Hyderabad must cause some reviews of the infrastructure upon which many western businesses depend) then the calls for more rigorous testing and change control procedures can be expected to increase.
RBS response to this has been initially good, then perhaps not so good. They told their customers about the failure although they didn’t seem to be able to say who exactly was affected which was not a good response. As the problems persisted, the response became less effective.
Although an independent analyst has been appointed to determine what happened, perhaps, in order to regain some of the confidence and trust they have lost they need to be more open about the root cause of the failure. Only if they share information will we all be able to learn from them.
This is surely just a common sense reaction as no director should be happy to sign off hundreds of millions of pounds of losses just because of the pressure to reduce the operational costs. These events may be in the infrequent/unlikely and high impact quadrant of a business’s risk profile but they’re the ones which really do inflict lasting damage on businesses. Businesses must consider the potential costs to their business if something like the RBS incident happened to them. They need to ask themselves what would happen if it happened to me? Do businesses test, exercise and re-test in case it ever does happen? If businesses don’t know how do they know it won’t happen to them?
Confidence is a fragile commodity and hard to regain if it’s lost. RBS is arguably just beginning to realise this.
This was first published in August 2012