Implementing Technology Change

While there is no single approach, process, or control that improves change success rates, our analysis and discussions with firms found that stronger governance, day-to-day risk management, increased automation and more robust testing and planning can contribute to successful change activity and less disruption.

Based on the data analysed in this review, we found that firms that had higher change success rates had these common characteristics:

1. Firms with well-established governance arrangements have a higher change success rate:

There was a positive correlation between the longevity of governance arrangements and higher change success rates in the sampled firms. Our data showed that robust governance can help reduce the number and impact of operational incidents resulting from change.

2. Relying on high levels of legacy technology is linked to more failed and emergency changes:

Over 90% of surveyed FS firms rely on legacy technology in some form to deliver their services. We found that firms with a lower proportion of legacy infrastructure and applications had a higher change success rate. This supports the view that technology change is more difficult to implement without disruption when dealing with legacy infrastructure. Firms with a lower proportion of legacy technology also had a lower proportion of changes being deployed as emergencies and had a higher chance of those emergency changes being successfully deployed.

3. Firms that allocated a higher proportion of their technology budget to change experienced fewer change related incidents:

Firms with a high change success rate dedicated a large proportion of their IT budget to change activities. Firms that had the lowest proportion of changes resulting in an incident dedicated between 50-75% of their IT budget to technology change activities.

4. Frequent releases and agile delivery can help firms to reduce the likelihood and impact of change related incidents:

Overall, we found that firms that deployed smaller, more frequent releases had higher change success rates than those with longer release cycles. Firms that made effective use of agile delivery methodologies were also less likely to experience a change incident.

5. Effective risk management is an important component of effective change management capabilities:

Firms that experienced less incidents due to failed changes mitigated the risk of technology change by leveraging a wide range of technical and business knowledge to ensure that potential impacts were well understood. We also found that firms that continuously managed risks as part of day to day project management were more likely to have higher change success rates compared to firms that employed an ad-hoc or periodic approach to risk management.

Based on the data analysed in this review, we also identified some areas which could lead to increased operational disruption when carrying out change activity:

1. Most firms do not have complete visibility of third-party changes:

Third parties are not immune to the inherent risks presented by technology change, and most firms in this review did not effectively track third-party changes. According to firms’ incident reporting, in 2019 over 20% of incidents at third-parties were caused by change. Workshop attendees suggested that third-party contracts could be better utilised to provide greater clarity on how changes are communicated and the potential impacts to a client firm’s IT estate.

2. Firms’ change management processes are heavily reliant on manual review and actions:

We found that firms are still heavily reliant on manual testing and processes to deliver technology change. Repeatability and consistency throughout the lifecycle of a change and its deployment could help reduce the burden of assurance activity and could also allow for a higher degree of confidence when implementing technology change.

3. Legacy technology impacts firms’ ability to implement new technologies and innovative approaches:

Firms that classified a higher proportion of their technology estate as legacy also had lower adoption rates for DevOps, micro-architecture and public cloud which could affect firms’ ability to benefit from innovative approaches. However, firms also highlighted the risks involved in migrating away from legacy technology.

4. Major changes were twice as likely to result in an incident when compared with standard changes:

Changes deemed by firms to be ‘major’ were over twice as likely to result in an incident when compared with other change types. Workshop attendees attributed this to their complexity, and the inability to break them down into smaller components. One of the key assurance controls firms used when implementing major changes was the Change Advisory Board (CAB). However, we found that CABs approved over 90% of the major changes they reviewed, and in some firms the CAB had not rejected a single change during 2019. This raises questions over the effectiveness of CABs as an assurance mechanism.

Consumers and market participants are increasingly reliant on digital channels to access FS. Even short-lived disruptions can be quickly identified by end users, and can result in significant impact and media attention. On average, each sample firm experienced 80 customer-facing incidents resulting from failed change during 2019.

Our data showed that of all customer-facing incidents in 2019, 7.4% had a root cause relating to change activity. However, of all incidents classified as high severity by firms in 2019, 24% had a root cause relating to change activity, highlighting that failed technology changes can have a higher impact than incidents resulting from other root causes.

When we asked how firms can better manage customer impacts due to disruptive change activity, workshop attendees emphasised the importance of having comprehensive, well-tested roll back plans in place to minimise the impact on customers. These plans often include internal and external communications (including with third parties) to use during an incident to highlight what alternative channels are available, for example. Firms’ board members stated that firms should also look to capture lessons learned from failed changes to continuously improve their capabilities.

Emergency changes are technology changes that must be implemented as quickly as possible, often in response to an operational incident. Due to the nature of these changes, some of the assurance and governance steps used for normal changes are expedited which can increase the inherent level of risk.

During 2019, firms deployed over 33,000 emergency changes into production, accounting for between 3-5% of total change volume. However, the proportion of emergency changes varied dramatically across firms, with some categorising almost 20% of all changes deployed as emergency changes. We observed a link between emergency changes and legacy infrastructure which may indicate that firms with higher proportions of legacy infrastructure were more likely to both use emergency changes and to have a higher proportion of those changes result in an incident.

We found that, on average, 1.5% of emergency changes resulted in a new incident; a slightly lower proportion than other types of changes. This could be due to an incident already being open for the issue being addressed by the change, but may also indicate strong risk awareness when it comes to implementing emergency changes.

Due to the speed and nature of emergency changes there is little room for error, and these changes can amplify existing weaknesses in a firm’s change capabilities. The workshop participants generally agreed that having the right culture around emergency changes is important to govern their use. As with major changes, participants also highlighted the importance of SME reviews and having stringent governance around the emergency change process.

Firms rely heavily on third parties for the delivery of business services. Over 30% of the development activity conducted in the sample firms was delivered by third-party teams. This increases the complexity of business models and can heighten operational risk. Recent third-party incidents and security breaches have highlighted the importance of third-party risk management, as well as the need to understand all the critical parties supporting business services. According to data taken from all incidents reported to the FCA by regulated entities in 2019, third-party incidents was one of the top root causes, accounting for 18% of all incidents. Of those, 22% were due to third-party change activity.

Third parties are not immune to the inherent risks presented by technology change but most firms participating in this review did not track third-party changes. While some firms did not allow third parties to deploy changes directly in their environments, all firms and their clients have a degree of dependency on software products provided by third parties. Firms stated that third parties often do not communicate changes to their customers, resulting in difficulty in tracking those changes. Attendees suggested that some of the risk associated with third-party changes could be mitigated by contractual agreements with strong governance against service levels.

Effective governance at senior levels can help foster an operationally effective environment throughout an organisation. Most of the respondents to our Board questionnaire were confident in their ability to deliver technology change without incident and believed that their organisations had the ability to deliver benefit through those changes. They were also generally confident in their ability to assess risks and approve major technology changes.

We found that the majority of firms had their current technology change governance arrangements in place for between 6 months and a year. We found a positive correlation between the longevity of governance arrangements and higher change success rates in the firms. Firms that had governance arrangements in place for more than a year experienced a lower proportion of incidents resulting from change when compared to peers with newer arrangements.

Most firms stated that their change management governance arrangements were reviewed periodically to ensure processes and controls remained fit for purpose, but their arrangements were also reviewed on an ad-hoc basis following the completion of lessons learned exercises or a major change. Firms also stated that effective board level governance can be complemented by SMEs and Non-Executive Directors providing challenge from a technical and business perspective.

We asked firms how their governance arrangements might change over the next 12 months (before the coronavirus pandemic). Some firms stated they were looking to pilot or increase their use of automation and methodologies to reduce manual overhead. The majority of firms used a consolidated tool to track, categorise and record changes made across their estate.

35,000
Average number of changes implemented per firm over 2019

The financial industry has needed to change quickly, and in some cases dramatically, as customers demand real-time services, seamless experiences and increased customer journey integration. Regulators have also required substantial change from the industry. For example, many firms have had to implement changes to their technology estates due to new regulatory requirements around MiFID/MiFIR and/or Ring Fencing. Firms have also had to respond to developments outside of the sector, like the coronavirus pandemic, the General Data Protection Regulation and the UK’s withdrawal from the EU.

The sample firms collectively deployed over 1m changes over 2019 with each firm deploying 35,000 production changes on average. This represents significant activity and highlights the complexity of translating business or regulatory initiatives into technology change.

To better understand the drivers of change, firms were asked to allocate their change budgets across 6 broad buckets. We found that firms dedicated the highest proportion of their change resources to ‘maintenance and upkeep’ and ‘satisfying regulatory and legal requirements’.

The need for continued maintenance presents a challenge to firms going through transformation. While significant effort will always be dedicated to this area, some firms told us that automating routine maintenance tasks and consolidating their operating environments has allowed them to re-allocate resources to other change activities.​​​​​

Effective project management is a critical component of change management governance. It helps ensure that what is being delivered meets the strategic objectives of the organisation, and plays a key role in risk management and quality control. A number of project management methodologies exist, but for the purpose of this review they are broken down into 2 broad types: ‘Agile’ and ‘Waterfall’.

We found firms that utilised a higher proportion of agile project management methodologies had fewer incidents resulting from change. However, firms stated that they often used a hybrid approach by applying agile 'tools and techniques' such as daily stand-ups, use of Kanban boards etc. to waterfall managed projects. Agile and Waterfall methodologies each have their own advantages and disadvantages and the best choice is dependent on the project type and circumstances. However, attendees at the workshops stated that being able to manage changes in smaller packets contributed to the likelihood of success.

We found that a number of consistent risk factors are prevalent in high risk change projects of all sizes. Firms across all sectors agreed that the most consistent risk factor is when ‘a project is dependent on other projects delivering their objectives’. These projects require the coordination of many moving parts, detailed awareness of the interconnectedness of systems and services, and changes needing to be completed in tandem to fulfil structured project plans.

Projects that implement technologies not previously used within the organisation were rated high risk, as were those that change legacy technology. Contributing factors to these ratings could be incompatible systems and data, as well as the high degree of uncertainty involved with these projects. Reliance on third parties could also raise unforeseen issues during delivery and firms should ensure that they select and govern their change partners appropriately.

The classification of a project as ‘major’ seems to be less of a risk factor when considering the characteristics that may affect project delivery. This may be because there is greater sponsorship, resource and ultimately scrutiny being placed on a major change project. Firms also seem to trust project delivery when intragroup resources are leaned on more heavily.

Multiple firms highlighted the importance of implementation planning and careful risk management when delivering projects with one or more of these high-risk characteristics. We found that most firms managed risks as part of the day to day project management and actively included team members in the risk process. Firms also managed risk registers for each project. We found that these firms were more likely to have higher change success rates compared to firms that employed an ad-hoc or periodic approach to risk management.

Testing aims to minimise the issues that can occur before, during and after implementation of a change. A variety of testing methods can be used to more closely replicate the change that is intended to take place and reduce potential risks.

Firms use a wide range of testing approaches depending on the scope and scale of change being deployed. All firms made use of Regression Testing, Integration Testing and Unit Testing.

However, we found that firms are still heavily reliant on manual testing and peer review, both of which are prone to human error. Repeatability and consistency of processes throughout the lifecycle of a change and its deployment could reduce the testing burden, and allow for increased coverage of assurance activity.

Firms highlighted that end-to-end testing automation was the ‘gold standard’ but not always possible. Most firms use some automated testing, but they commented that it came with its own benefits and challenges, particularly the need to maintain control, and make use of deployment-specific tests. They also emphasised that automated testing does not completely eliminate the need for manual oversight and testing.

Firms that attended the workshops and employed a standardised approach to testing said that they gained confidence in utilising a repeatable process. Firms also stated that communication with business stakeholders, a strong understanding of the technology estate, as well as upstream and downstream systems were common drivers of the design of test plans before go-live.

Under a DevOps model, development and operations teams are no longer 'siloed', resulting in increased ownership and less friction between teams. Sometimes these 2 teams are merged into a single team. Engineers work across the entire application lifecycle, from development and test to deployment and operations, using a range of skills not limited to a single function. In some DevOps models, quality assurance and security teams may also be more tightly integrated with development and operations throughout the application lifecycle.

Firms in our sample stated a preference for an agile DevOps approach. There was wide support for carrying out smaller changes gradually, but some larger firms outlined clear challenges in doing so. For example, they highlighted that major changes, specifically regulatory changes, are difficult to break into small changes, due to varying specifications and hard deadlines.

84% of firms use DevOps methodologies in some form, but only 13% of firms use DevOps processes for all software delivery activities. While most firms are looking to take advantage of innovative approaches, attendees at the workshops stated that DevOps methodologies are often not applied consistently across the organisation, which could highlight the implementation challenges involved. Our data analysis showed that firms who rely heavily on legacy systems had lower adoption rates. However, a large proportion of the firms that do not widely use DevOps currently plan to deploy more workloads using this methodology over the next 12 months.

DevOps methodologies can increase the frequency and pace of releases. However, increased release frequency and automated assurance can present significant operational and regulatory challenges, and it’s important that firms understand that this isn’t a one-size fits all solution. The incident and change data provided by firms suggested that firms who described a higher proportion of their software development activities as ‘DevOps’ experienced a slightly higher change failure rate compared with other firms. However, due to the sample size no firm conclusion could be identified as to the impact a DevOps methodology has on change success.

To successfully leverage DevOps methodologies, firms said that they first need to have a strong awareness of their operating environments, as well as a solid understanding of risk, and rigorous governance. This requires significant time and upfront financial investment, and can be particularly challenging when multiple methodologies are used at the same time.

The speed at which firms implement change provides insight into the size of changes, tooling and methodologies they use. Our review showed that most firms deployed changes to their core systems between once a month and once a quarter. Automation can decrease the time it takes to plan, build, test and deploy change while reducing the possibility of human error.

Deploying change regularly and safely usually requires firms to use automated tools and processes and to leverage modern infrastructure. Firms that deployed changes between once a week and once a day/multiple times a day made use of automated deployment tools, with 78% utilising a deployment process that was mostly or fully automated. Most of these firms (89%) also leveraged microservice architecture in some capacity. Firms that deploy frequent change were also more likely to use public cloud technology and have limited legacy technology within their IT environments. Overall, we found that firms who used microservices, automation and deployed changes more frequently had higher change success rates. However, it is important to note that approaches were often not consistently applied within firms and that change incidents still occurred.

To see how quickly firms could launch new products, board members were asked ‘if you had an innovative idea that required IT change as a key component, how long would it take to approve the idea, build it, and deploy it to users (on average)?’ While timelines vary depending on the product, most respondents told us that new ideas can be implemented within 6-12 months.

Many FS firms run on complex legacy infrastructure that has been patched over many years and operates alongside new technologies. This can result in difficulty in understanding overall IT estates and the potential impact of a change. Firms participating in this review said that it is important to invest in estate discovery to understand the data and the application portfolio when designing a change, which can be difficult when dealing with legacy infrastructure.

Shifting away from legacy infrastructure presents firms with a substantial challenge. Several of the highest impact technology incidents experienced over the last 10 years have been a result of failed migration of legacy infrastructure.

According to our review, over 90% of reviewed firms are still reliant on legacy infrastructure and applications to deliver production services. This proportion is highest in the insurance sector, where over 70% of respondents classified most of their infrastructure and applications as legacy, with 100% of insurance sector respondents relying on legacy technology in some form. We also found that firms with higher amounts of legacy infrastructure and applications had a higher change failure rate. This supports the view that technology change is more difficult to implement without disruption when dealing with legacy infrastructure.

The impact of legacy infrastructure on security and technology resilience is well documented and it has a significant impact on firm’s change management capabilities. Having a significant proportion of legacy infrastructure within an IT estate limits the flexibility of processes and prevents firms from taking advantage of new developments, release and deployment methodologies, which we observed in our review as contributing to change success. The high-level of uncertainty and risk involved in changing legacy infrastructure requires substantial testing and management oversight.

Public cloud computing is changing the way infrastructure is designed and implemented. While companies have traditionally relied on physical data centres or colocation facilities, they are increasingly taking advantage of the scale and flexibility of public cloud offerings. Migrating to and managing public cloud environments presents several challenges, including a lack of oversight and direct control. However, public cloud environments can also provide numerous benefits.

Public cloud computing is not a new concept and has been a critical part of firms’ IT estates for a number of years. A large number of high profile firms have announced their move towards public cloud computing over the last few years. However, our research found that the majority (78%) of production applications are still hosted in on-premise environments. While adoption rates varied across participants, attendees at the workshops expected their firm’s use of public cloud computing to increase.

One of the main benefits of change management in the cloud is that it enables a high degree of automation. This can reduce the manual risks of change and increase the agility of incident response. While automation doesn’t guarantee that a change won’t have an adverse impact, it can reduce the risks involved. Automation drives repeatability and consistency through the change lifecycle, reducing the risk of human error and enabling the creation of identical environments for predictable and testable outcomes and automating aspects of recovering from change incidents. Public cloud offerings also allow for the automated scaling of IT environments, removing the need to provision additional resources to meet business demand.

We used a data-driven approach for this review, based on the IT service management information held by firms. Our analysis covers over 1m changes implemented into production environments over 2019. We also reviewed metrics from the nearly 20,000 incidents resulting from change over the same period, as well as qualitative data on how firms deploy and assure change management activities. A confidential questionnaire was also sent to firm board members to better understand the drivers for change and their level of confidence in their organisation’s ability to deploy change effectively.

The information request sent to firms was broken down into 4 sections:

1. IT Service Management quantitative questionnaire
2. Change Management qualitative questionnaire
3. Full change and incident ticket analysis
4. Confidential Board questionnaire

1. IT Service Management Questionnaire:

To ascertain the level of disruption from failed changes and determine what types of change carry the highest level of risk, we requested 18 key operational metrics from 23 firms. This included the total number of IT changes implemented by change type over 2019, the number of incidents resulting from change by type, the proportion of incidents that had an impact on customers and the average change implementation duration over 2019.

2. Change Management Qualitative Questionnaire

Our Change Management Qualitative Questionnaire looked to obtain information around 4 key areas that have an impact on change management processes.

The information requested aimed to capture information around:

• technology change: the key controls in place to manage the risk of change, how firms track, categorise and record changes across their estate, the length of time governance arrangements have been in place, firms change budgets and the key drivers of change within the industry
• programme and project management: the methodologies used by firms to deliver change, the common characteristics of 'risky' changes, benefit realisation and programme risk management
• infrastructure: the underlying network, hardware and software components that support IT services
• build, test and deployment: the methodologies, techniques and technologies used to release and assure technology releases and deployments

3. Full Change and Incident Ticket Analysis

4 additional firms were asked to provide their full change and incident logs for in-depth analysis. These logs contained all the change and incident tickets created by the organisations over a year. This provided the project team with an opportunity to perform an in-depth analysis of how incidents and changes were categorised and an understanding of incident trends.

4. Confidential Board Questions

A short, confidential questionnaire was sent to participating firm’s board members to ascertain their level of confidence with their own ability and their firm’s ability to perform technology change. The questionnaire was sent via the FCA’s survey tool and no attempt was made to identify individual respondents. The questionnaire asked respondents to rate their level of confidence in their ability to approve technology change as well as how confident they were in their organisation’s ability to deploy change without incident.

Target Population and Sampling Methodology:

A sample of 23 firms of varying sizes, business models and customers bases were selected from across the FS industry. The dataset was separated into the broad sectors based on their Group regulatory model. Included in the main review were 8 Wholesale, 8 Retail, and 7 Insurance firms alongside a number of additional firms invited to our change workshops.

Statistical Analysis Methods:

• Cluster Analysis: We derived IT change performance profiles with a data-driven approach, using hierarchical cluster analysis. In this approach, the response of those in one group are similar to each other and dissimilar from those in other groups. To calculate change performance a range of metrics were used including the average number of incidents per change, the severity of the resulting change related incidents, whether the incidents were customer-facing and the average duration of incidents. Firms were grouped by their change performance scores and common traits identified.

Regression Analysis: To estimate the relationship between independent variables regression analysis was used.

The FCA’s PoC requested 14 metrics from 5 firms covering calendar year 2018. Unfortunately, 1 firm was removed from scope due to the quality of data submitted. Unlike the 2020 information request, the PoC requested full change ticket and incident logs for all systems and applications. The scope of the request included all regulated entities/intra-group changes and incidents that impact UK business and third-party incidents. This amounted to nearly 8.5 million data points.

Our PoC helped to inform our approach to the methodology of the information request, but also the findings were in line with our overall report findings. Our key findings from the 4 firms who responded were:

• Firms are putting through a substantial amount of changes each year, these 4 firms implemented over 100,000 changes.
• The change success rate was 98.9%.
• The average emergency change rate was 7.5%.
• 16.4% of total incidents had a root cause relating to change activity.
• CABs were also not being used as effectively as they could be to mitigate the risks associated with change.