This column does not usually do topicality. Current relevance, we hope, food for thought, we like to think, but not the news of the day. But there have to be exceptions and the RBS, NatWest/Ulster Bank fiasco is everything a CIO fears above all else-a public, multi-faceted, ongoing systems failure. That fact that the banking group in question is 70% owned by Her Majesty’s Government is probably irrelevant. Politicians are willing to share credit for most things but embarrassment usually passes them by. Surprisingly, at time of writing the mainstream media had not picked up on the April departure of the RBS CIO who oversaw both a substantial investment in new technology (55,000-user VDI) and a downsizing of the internal ICT team and outsourcing of many banking operations to India.
The outsourcing question raises its ugly mug particularly in Ireland where 196 IT jobs were shed when the Dublin Technology Services Centre was closed last January, with a further 25 jobs cut in Belfast. It eventually emerged as the technical media consensus that the recent fiasco followed an error in applying a routine patch to a CA Technologies banking application (CA-7 for time/event driven workload automation). This was at first thought to have happened in India, where RBS has outsourced a large part of its IT operations. It could equally well have happened anywhere, sympathetic IT professionals will agree. In this instance, there has been distinct suspicion of inexperience and under-training-in other words, human error. Even CA acknowledged that backing out of a failed CA-7 update should have been easy. Even if this is not the full truth, the warning principle is all too clear. Long-range governance of third party service suppliers is not a reliable option.
There is also the potentially vexed question of where a group member company stands when it comes to IT priorities: Ulster Bank and NatWest are both RBS group members and the order of priority became all too clear during the outage. An Ulster Bank spokesman explained that the IT repair and restoration process had to be in the order in which the systems were installed, RBS then NatWest then Ulster. Fair enough, up to a point, and illustrating that the RBS Group shares the same systems and not just the same technology. The outsourcing to Bangalore was presumably with the consent of the UK government (RBS group’s effective owners) and the UK Financial Regulator. But what about Ulster Bank and our independent Republic of Ireland Central Bank and Financial Regulator and Department of Finance and indeed Data Commissioner? Do Irish customers of Ulster Bank know that their data is being held and processed in India? The other question, of course, is why the smallest affected entity in the RBS Group took the longest time to resolve?
But Ulster Bank and its travails are not our issue. The current horizon for any CIO is a sea of cloud (see, we can play metaphors with the best) with a Clew Bay vista of many islands peeping through of outsourcing and managed services, XaaS and the scaling back of internal ICT resources on your own mainland. In recent years almost all of the talk and indeed the assumptions have been predicated on at least a significant proportion of ICT passing from the user organisation to various kinds of service provider. Some or all of that is expected to be cloud-based, but here in Ireland at least there is still general acknowledgement that direct service provision by trusted suppliers is going to be a mainstream component for quite some time to come. In part that is in our business psyche-we dislike anonymous commodity services, or at least everything about them except their cheapness. It is often expressed crudely as ‘knowing whose ass to kick’ but we also tend to regard personal professional relations as fundamental to any of that ‘partnership’ guff that services marketing witters on about all the time.
Suddenly this Ulster Bank object lesson thrusts itself under our collective nose and we have a frightening sniff of rotting SLAs. Actually, that is probably unfair in that it is quite possible that all SLAs were happily met in that RBS contract until some poor techie wiped the database.
Stop Press: oh, the drama of journalism, even in a monthly column. The RBS CEO has just conceded that "…. the problem was created when maintenance on systems, which are managed and operated by our team in Edinburgh, caused an error in our batch scheduler." RBS has undertaken to carry out a full investigation, overseen by independent experts, once the critical recovery tasks are completed. It is also reported to be considering legal action against CA Technologies.
So now we are back to the earlier observation that the error could have occurred anywhere, although the CEO’s brief explanation of the ongoing problems because "…the team could not access the record of transactions that had been processed up to the point of failure" does smack of careful phrasing and the lingering notion that somebody or something wiped a production database or slice of before it had been backed up. Are such things not supposed to be idiot-proof if not fully automated?
So let us now leave the detail of the still-rumbling RBS saga and resume the speculation that its very occurrence, and its sheer duration in the case of Ulster Bank, will be a historical pivot point in the 21st century story of large scale enterprise computing. CIOs have to try to think all the time from the point of view of the business and its customers and the market back into internal systems and users and then the beating pulsing heart of the ICT. So the three weeks plus of crippled customer service in Ulster Bank was the disaster. The technical reasons, the failure of human judgement and systems and speedy recovery, are actually irrelevant in business terms. Forensic post-mortems are important, even essential. But like CSI, murders are committed by people not instruments. Society tries to identify the culprits to assign responsibility accurately, punish where appropriate and deter or detect others.
When your technology fails and your failures provide tens of thousands of personal disaster stories for popular mythology to multiply (ruined honeymoons, mortgage defaults or double payments, unpaid fines, utility cut-offs, etc.) no amount of obsequious corporate apology and abasement is sufficient. Ulster Bank is currently passing Anglo Irish in the ‘Banks we love to hate’ stakes and may even stay in the lead because there are simply more individuals, well over 100,000, apparently, who have been adversely affected.
The whole affair is an exemplar disaster for CIOs everywhere and will undoubtedly be a case study for ICT systems design and governance in the future. The multiple autopsies have already started, led by those savvy observers in Committees of both the UK Parliament and our own Dáil. The specific glitch is not the issue (except, of course, for CA Technologies and RBS) and is technically simply an example of Murphy’s Law. If it was caused or compounded by human error, that too is part of the object lesson. The fact that it was all centred in traditional technology is important. With not a cloud in sight, enterprise systems that support the world’s key transactions-an estimated 20 million daily in RBS-can and do fail. The software industry has been talking integration and automation for decades, nowhere more loudly than in financial services. We have also seen the inexorable rise in systems complexity as more and more functions and activity streams are aggregated in ‘solutions’ that aim to be comprehensive across the organisation. As every CIO knows, there are minimal problems with single-task software. Bookkeeping is an excellent example, even in banking. The perils arrive with joined up systems, inevitably conceived, designed and coded at different times by assorted software vendors. It is all too like handwritten medical reports and prescriptions, in different languages and script styles: the wonder is really that so little goes wrong.
The RBS/Ulster Bank situation will be fixed and eventually pass into ICT legend, we trust. But it certainly serves to focus the attention of all CIOs-and all discussion of the role of the CIO-on core responsibilities that we might all have been in danger of forgetting. Choice of systems and suppliers, technology and process governance and the management of change are fundamental to the role, whatever the title. That certainly covers patch management in functioning systems, however lowly or routine the specific tasks might seem to be in the IT hierarchy. The simplistic analogy is a vehicle: no one would take it on the road without a reverse gear and effective brakes.
Driver error cannot be engineered out of vehicle design (or at least not so far) but the potential consequences can be foreseen and anticipated. The ‘dead man’s handle’ of early 20th century railway engineer design is still a sound principle. We have all become so accustomed to discussing the role of the CIO in terms of strategy and leadership and futurology that the Ulster Bank debacle serves as a salutary reminder that a deep understanding of the imperfections and limitations of technology is equally important.
Subscribers 0
Fans 0
Followers 0
Followers