Insuring to prepare for the worst

Opinion by Andrew Sinclair

RBS/NatWest has announced that it will set aside £125 million to cover the costs of the IT failure it recently suffered.

RBS/NatWest has announced that it will set aside £125 million to cover the costs of the IT failure it recently suffered.

Added to the £135 million hit the group took to cover the cost of payment protection insurance (PPI) mis-selling and the £50 million charge to compensate small businesses that were mis-sold complex interest rate swaps, there's a small fortune being declared to the costs of failures.

Rarely has a cost of failure been so readily declared. These pure financial losses however do not take into account the value of reputational damage and the loss of trust that has happened. 

While the investigations are continuing to determine the root cause of the IT systems failures that impacted NatWest and Ulster Bank customers, initial investigations seem to be suggesting that human error was partly responsible. The error is understood to have occurred after a software update froze part of the bank's computer systems, affecting 17 million customers. If this turns out to be the case, then perhaps it will be more understandable, if still highly unfortunate for RBS. 

Although this should have been an avoidable incident - the fact that it occurred at all might be indicative of the continuing pressure on the business and the overall ‘hollowing-out' of the skills and experience in the IT side of the business.

If it is found to have occurred within the outsourced section of RBS operations, when coupled with the massive power failures within India, (which, although they didn't hit the outsourcing centres of Bangalore and Hyderabad, must cause some reviews of the infrastructure upon which many western businesses depend) then the calls for more rigorous testing and change control procedures can be expected to increase.

RBS' response to this has been initially good, then perhaps not so good. It told its customers about the failure, although it didn't seem to be able to say who exactly was affected, which was not a good response. As the problems persisted, the response became less effective.  

Although an independent analyst has been appointed to determine what happened, perhaps, in order to regain some of the confidence and trust they have lost, RBS needs to be more open about the root cause of the failure. Only if it shares information will we all be able to learn from it. 

This is surely just a common sense reaction, as no director should be happy to sign off hundreds of millions of pounds of losses just because of the pressure to reduce the operational costs.

These events may be in the infrequent/unlikely and high impact quadrant of a business's risk profile, but they are the ones that really do inflict lasting damage on businesses. Companies must consider the potential costs to their business if something such as the RBS incident happened to them. They need to ask themselves what would happen if it happened to me? Do businesses test, exercise and re-test in case it ever does happen? If businesses don't know, how do they know it won't happen to them?

Confidence is a fragile commodity and hard to regain if it's lost.  RBS is arguably just beginning to realise this. 

Andrew Sinclair is head of risk management at Onyx Group


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events