How to respond to the FCA’s “IT controls” form

What is the IT Controls Form?

‍

Operational resilience is a key priority for the FCA, and is defined as the ability for firms operating within the financial sector to be able to prevent, respond to, adapt, recover and learn from any operational disruptions. 

As part of the FCA’s efforts to ensure firms and COOs can demonstrate operational resilience, the regulatory authority published it’s “IT controls” form, detailing questions that cover the following operational themes:

‍

• Governance, Strategy & Culture
• Risk Management
• Service Mapping and Design
• Service Continuity and Testing
• Change Management
• Incident Management
• Third Party Management
• Identity and Access Management (IAM)
• Threat and Vulnerability Management (TVM)
• Physical Environment

The ten themes demonstrate the breadth of operational risk that firms face with regards to their IT.

‍

Change Management

‍

One of the key areas of focus that we regularly visit with our clients at Synetec is the theme of ‘Change Management’. Change Management is often associated with software development and the questions explored within this section of the “IT controls” form should be a key priority for COOs.

The overriding goal of Change Management is being able to minimise the associated risks that arise when changes occur. Change Management within IT is important because it helps firms to ensure that any changes made occur in a controlled and consistent manner. By doing so, firms are able to eliminate any potential disruptions that can occur to their business processes and systems at a later stage. 

The questions presented by the FCA in this section include:

‍

• Do you have documented change management policies and procedures in place? 
• Do you have visibility of timelines/scope/risks of changes and projects across your IT estate and 3rd parties. 
• Are your internal and 3rd party changes approved from both a business and technical perspective. 
• Do you test your changes before deploying them into a production environment?
• Do you report change management metrics and KPI's to management?
• Do you ensure that changes meet the firm's security policy and procedures?
• Do you keep an audit trail of all changes to ensure that they follow agreed procedures so changes can be tracked?

Without effective Change Management processes in place, firms are at risk of lost productivity, prolonged downtime, data losses, and security breaches. Failure to maintain a holistic view of operational structures of a business and the operations of third-party providers can place firms at even greater risk and leaves room for unforeseen issues.  

To be able to fully address the questions laid out by the FCA, Change Management requires a robust strategy that considers and is inclusive of a thorough risk analysis of operations and software used within a firm’s IT.

‍

How we can help 

‍

At Synetec, we work with COOs to create such strategies. We work with our clients to establish key goals and objectives that are in line with FCA standards and expected KPI metrics. We also help our clients to establish IT policies, processes and frameworks so firms can maintain a clear overview of their timelines and manage changes in a controlled structure that includes an audit trail. If you would like to learn more about how we can assist you with IT change management that adheres to FCA requirements, contact us today. 

‍