Continuity Central recently reported on a decision by the PRA to fine an ex-TSB CIO due to poor decision-making relating to outsourcing contracts which resulted in operational resilience failures. In this article, David Honour explores the role of defensible decision making in helping prevent such incidents in future.
On 13th April 2023, the UK Prudential Regulation Authority (PRA) announced that it had fined Mr Carlos Abarca, the former chief information officer (CIO) of TSB Bank plc, £81,620 for his role in operational resilience failings at the bank (1).
This follows on closely from enforcement action taken in December 2022 against TSB for operational resilience failings, which resulted in a joint financial penalty of £48,650,000 being imposed by the PRA and Financial Conduct Authority (FCA). TSB also paid out £32.7m in redress to customers who suffered ‘detriment due to the operational failure in question’.
The FCA and PRA explained that ‘as CIO of TSB, Mr Abarca had responsibility for TSB complying with the PRA’s outsourcing rules. In particular, he was responsible for TSB’s key outsourcing relationship with its main third-party supplier for the IT migration programme. As part of this, he gave assurance to the TSB Board that the third party, as key supplier, was prepared for migration. However, he failed to ensure that TSB had itself obtained sufficient assurance from the third party before doing so’.
The root of the incident which led to both the individual fine for Mr. Abarca and the much larger fine for TSB itself, seems to be ineffective decision-making.
According to the FCA and PRA (2):
In April 2018, TSB updated its IT systems and migrated the data for its corporate and customer services on to a new IT platform. While the data itself migrated successfully, the platform immediately experienced technical failures. This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking.
All of TSB’s branches and a significant proportion of its 5.2 million customers were affected by the initial issues. Some customers continued to be affected by some issues and it took until December 2018 for TSB to return to business-as-usual’
TSB’s IT migration programme was an ambitious and complex IT change management programme carrying a high level of operational risk. Its success was critical to TSB’s ability to provide continuity of critical functions and safety and soundness. However, the regulators’ found that TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier.
The FSA identified that governance ‘which was insufficiently robust’ was one of the main root causes of the incident.
At the core of good governance is defensible decision making. This article will explore what this is, why it is important within operational resilience and crisis management, and how to start implementing it within your organization.
What is defensible decision making?
The key point of defensible decision making is that at any point in the future the reasons for a decision being taken can be examined, understood, and defended. There are no grey areas, misremembering, or incongruities. It is clear who made a decision, why that decision was made, and on what grounds the decision was made.
The key points are that defensible decisions are made in a structured way, so that decisions are:
Defensible decision making in operational resilience
Defensible decision making is relevant to any organizational management system; and none more so than operational resilience. Decisions need to be made on operational resilience strategy, planning, and resourcing; and regulators have made clear that the ultimate responsibility lies with the board and senior management – something under-lined by the FSA decisions concerning TSB.
Taking a defensible decision making approach not only ensures that the organization is better prepared for future action from regulators should things go wrong; but, in fact, using defensible decision making will mean that decisions taken and, therefore, the subsequent operational resilience arrangements, are much more likely to high quality and effective.
Defensible decision making in crisis management
Decision making is one of the seven principles of building a crisis management capability, as set out in the new ISO 22361 crisis management standard, which was published in November 2022.
ISO 22361 includes a whole section entitled ‘Strategic crisis decision-making’ and a key point is that decision making must be defensible – i.e. the reasons that a decision was made should be able to be examined after a crisis; and the context for the decision understood. To achieve this, decision making needs to be structured and must be recorded says the standard.
ISO 22361 says that post-crisis reviews ‘are not intended to assess whether … decisions were correct, but whether they were defensible given what was known at the time’.
A defensible decision is one that is ‘necessary, proportionate, legal, ethical and consistent with the values of the organization’ says the standard.
The importance of defensible decision making is emphasized by the requirement in the standard that every crisis management team should include a log keeper: ‘an essential part of the crisis team who maintains a log of all decisions and actions for later reference and use with reviews and reports, insurance or liability issues, enquiries or investigations’.
Other key points made about crisis decision making in ISO 22361 are:
- Effective decision making is reliant upon good information management, situational awareness, and an understanding of the needs and expectations of interested parties.
- Decisions should be based on evidence, logic, and judgement and understanding of the impact of potential consequences.
- The organization’s strategic objectives, core values, and priorities should be considered in all decisions.
- Decisions should be based on the ‘best information available at the time’, and need to be ‘compassionate, proportionate, necessary, ethical, legal and aligned with the organization’s values’.
All the above match the principles of defensible decision making.
The Joint Decision Model (JDM)
When implementing defensive decision making it is easier to make use of an existing model, rather than reinventing the wheel. One very effective approach is the Joint Decision Model (3), which was developed by JESIP (the Joint Emergency Services Interoperability Programme) as part of its Joint Doctrine principles for managing major incidents. These are used by all UK emergency services. The JDM can be easily adapted for use within the corporate environment.
The JESIP Joint Decision Model for defensible decision making.
The idea behind the JDM is to work around the model continually during a decision making process, with the five elements all being of equal importance to the central aim. The process gone through in each element is recorded, along with the final outcome and the people involved in making the decision. This then clearly shows the steps that were taken, the process and the information used, and the reasons for the final decision.
The elements of the JDM according to JESIP are as follows (in italics), with an interpretation for corporate use added to each one.
Working together saving lives reducing harm
The pentagon at the centre of the JDM reminds responders that all joint decisions should be made with reference to the overarching or primary aim of any response to an emergency – to save lives and reduce harm.
From a corporate perspective the primary aim is whatever the decision making process is aiming to achieve. This could be something like ‘Working together to develop an excellent and robust operational resilience strategy’, for example. It is an aide memoire to help keep people focussed.
Gather information and intelligence
This stage involves gathering and sharing information and intelligence to establish shared situational awareness. At any incident, no single responder organisation can appreciate all the relevant dimensions of an emergency straight away.
In corporate usage decisions need to be based on all the relevant information that is available – this may be held in silos so needs to be gathered and shared effectively from right across the organization.
Assess threats and risks and develop a working strategy
This analytical stage involves responders jointly assessing the situation, including any specific threats, hazards and the risk of harm.
All corporate decisions need to include a risk and threat assessment and an analysis of the probabilities and impacts related to the decision that is being made.
Consider powers, policies and procedures
This stage relates to any relevant laws, procedures or policies that may impact on the response plan and the capabilities available to be deployed.
Corporate decisions must be informed by organizational policies and procedures – an investigation of which policies might apply to a decision is required and it needs to be clear how and why these informed the decision.
Identify options and contingencies
There will almost always be more than one way to achieve the desired outcomes. Responders should work together to evaluate the range of options and contingencies.
From a corporate perspective this is also very true: there will be many ways to achieve a specific outcome and the decision making process must show the various strategies that were considered and must record why a particular strategy was chosen.
Take action and review what happened
Actions and the subsequent outcomes should be regularly reviewed. As information or intelligence becomes available or changes during the incident, responders should use the JDM to inform their decision-making until the incident is resolved.
Any corporate process that is developed using a defensible decision making process should be reviewed regularly to ensure that it is operating as expected. If this is not the case, or if the organizational situation changes, decision makers must start the process again, commencing with the ‘Gather information and intelligence’ stage.
The JDM is just one model for defensible decision making, but it is clear, easily accessible, and very adaptable to the corporate environment. The key is that in every step the decision making process is recorded and then archived for future reference. For integrity, this should be in an immutable format, so that there can be no question marks over whether the decision making evidence has been tampered with.
The advantages of defensible decision making
The outcomes of defensible decision making are wide-ranging. They include:
- Better quality decision making
- Decision making that is informed by and inline with corporate policies
- Decision making that has been challenged effectively
- Decision making that is risk-based, where the impacts of decisions have been weighed up and the decision has been taken with an understanding of any risks that are being taken
- Decisions made will have been monitored and debriefed as part of a lessons learned process
- Decisions will have been recorded to help protect the organization and its reputation from future actions of regulators or from other third party legal proceedings.
While implementing defensible decision making may seem like adding an additional layer of red-tape, slowing down decision making, this does not need to be the case. Like any technique it’s use will become easier with practice. It is far from just being an exercise is covering your back – the decisions that emerge from the process are much more likely to be good for the organization than those that are made without the rigour that defensible decision making brings.
David Honour is editor of Continuity Central.