Author: Chris Goodeve-Ballard
It’s very tempting to think that we can all hide behind the big Company. When something goes wrong, there is a big skirt we can hide behind which ensures that there is always somebody else who can carry the can.
Carlos Abarca knows differently.
He was TSB’s Chief Information Officer and holder of a Senior Management Function (SMF) during the period of their disastrous IT migration project in 2018. This project is admittedly one of the poster boys for Operational Resilience failings and resulted in TSB receiving fines totalling £48.65 million in December 2022. This has been well reported and we wrote a piece on it here, in the immediate aftermath so there is no need to go into all the gruesome details here.
Roll on three months and poor old Carlos has been hit with a personal fine of £81,620 from the PRA. I don’t care who you are (and he was on a pretty good salary), that is going to hurt – and he has one month to pay it.
Reading through the PRA’s Final Notice for Carlos Abarca, there are a couple of points worth noting. Most of them should simply be a reminder for many. If they are new to you, however, and you hold a Senior Management Function, you really should nip down to Compliance or HR to understand your Statement of Responsibilities and give them a gentle reminder that you can be extraordinarily violent and unpleasant if provoked as at the very least, they should ensure that you are aware of the content.
If you do hold an SMF role, you really are at the pointy end of the bayonet and you have to be sharp and do your job.
Even if you have Board sign-off for any particular action, as the SMF holder, if it is within your Statement of Responsibilities, you carry the can. In this case, the PRA even stated: “The Board had ultimate oversight…”. This provided no protection to Abarca.
Never assume that others are doing their job even if they say they are. In this case, an intragroup Company (SABIS) was the key third party provider, which itself had 85 third party providers (fourth party to TSB). Abarca took their word for the fact that they were ready to carry out the migration when they were merely making hopeful noises that they were; not definitive statements.
Lack of understanding of the supply chain of outsourced service providers can be expensive. (PRA – “…firms must have visibility of the supply chain…”. Intragroup services, such as those of SABIS are still counted as part of the external supply chain in the eyes of the regulator).
Everything of course came to light because the migration project fell apart, there was no ability to roll back and TSB’s crisis response was slow and badly thought through. The simple fact is that if any single one of these factors had been resolved, TSB would have had a busy few days and then breathed a collective sigh of relief while Mrs Abarca wouldn't be quite so irritated with her husband.
The lesson from this is that if you hold an SMF role (irrespective of what it is), ensure your Crisis Management and Operational Risk & Resilience abilities are tested practiced and then tested again at your firm. You have no idea which part of the process is going to fail (and it could stem from a 4th or 5th party provider) so the catch all is to ensure you know how to respond when something totally unexpected goes wrong.
Aldbury International is highly experienced in helping firms prepare for the unexpected. Call us on 020 3475 2953 or visit or website www.aldburyinternational.com
Carlos Abarca is on a “Career Break” (LinkedIn).