If it can go wrong, it will go wrong

Picture of messy electrical wiresThe recent challenges of the banking sector in the UK have been very public and damaging to the trust that customers place in their bank. If you were lucky enough to be unaffected, then do have some sympathy for TSB customers who recently were unable to make payments using online banking, and also have sympathy for customers making purchases from businesses that used the Lloyds Bank owned Cardnet on 29 August as they may have found themselves being charged twice. The fundamental here is that trust is easily lost and very hard to win back. In the case of the Cardnet failure, that loss of trust may have also affected business customers of Cardnet as from a retail customer’s point of view it would have looked like the business charged them twice rather than being an error in the payment processing.

But how and why did the IT fail so dramatically? Well one possibility is that this is a legacy system issue and reminds us that technical debt, the cost of maintaining legacy systems over time, rises in both cost and risk terms the more time moves on from the original implementation. This is certainly true in the TSB case, where it is well known that TSB has legacy IT issues and has done for some time and this has cost the company hundreds of millions of pounds. These legacy IT issues appear to have really come to the fore when TSB tried to modernise the IT following the merger with the Spanish bank Sabadell after TSB split from Lloyds Bank in 2013. And it is this last fact that possibly points the way to the problem at Cardnet, which is part owned by Lloyds Bank and seems to have suffered similar issues leading to repetitional damage and real financial loos to customers and businesses. It is quite likely that legacy issues were in part, at least, the cause of the Cardnet problem. A quick Google search of “cardnet IT failure” brings up a number of results showing issues going back to 2014 which seems to support this theory.

This issue of technical debt is often a difficult one to get traction on dealing with in a business as resolving it does not generally add to business value, and so persuading the business to sink real money into a problem that has no obvious business benefit is a difficult ask. So how do you get the traction and money you need to reduce your debt? As with many things the answer is to quantify the risk.

Much like ignoring Information Security and GDPR, technical debt can have real world consequences. The Cardnet and TSB issues really help to demonstrate that, but there are also plenty of analyses from organisations like Gartner which can back you up in the argument. You need to find a way to get across your point in a way the board get so that they see paying down the debt as an integral part of risk management as Information Security and GDPR. You may not get everything you want, but you should at least get the issue on a risk list because until the board has sight of it there is very little that will ever be done given all the priorities the organisation will have. But once on the risk list, it can be flagged to governance and that will drive prioritisation and resolution.