UK Treasury Committee to Focus Regulators on System Availability and Cloud Concentration Risk

UK Treasury Committee to Focus Regulators on System Availability and Cloud Concentration Risk

Share this Blog with a friend.

How Citihub Digital helps clients assess and mitigate resilience risks

On the 28th October, The Treasury Committee issued the findings of its investigations into a string of high-profile IT outages in the UK’s financial services sector. The report directs regulators to intervene to improve the operational resilience of systemically important systems. This is expected to include:

  • Increased levies to fund a recruitment drive that will enable regulators to focus on the specific challenges of IT resilience;
  • Expanding the Senior Managers regime to include Financial Market Infrastructure firms (e.g. those that provide payments systems);
  • A specific focus on the concentration risks associated with third-party providers (the report specifically highlights cloud services providers).

Several things stand out. Firstly, the report highlights that the cost and complexity of system upgrades cannot be used as an excuse for not replacing legacy systems. It directs regulators to make specific interventions to ensure that customers are not exposed to the inherent risks associated with these legacy systems. Secondly, the identification of the concentration risk with, and the systemic importance of, the CSP market is a first. Furthermore, it is supported by the strong suggestion that it may now be necessary to regulate the operational resilience of CSPs.

The implications will be far-reaching both in terms of the operational resilience programmes that most financial services firms are mobilising but also how replacements for legacy systems are engineered, sourced and provisioned. Since 2007, Citihub has worked extensively with leading financial institutions to proactively identify and mitigate Application Availability Risk. Or proprietary Application Availability Assessment (AAA) methodology has been used across the street to assess systemic risks in 200+ mission critical applications and to scope, prioritise and fund mitigation. In 2018, AAA was developed further and has now become Application Risk Assurance (ARA) to recognise the changing focus and priorities of both regulators and institutions, and to combine client feedback and the experiences of the Citihub team.

The ARA’s philosophy is:

  • Holistic – it considers the entire IT stack crossing the boundaries between application and infrastructure and spanning all aspects of people, process and technology;
  • Rapid – it encompasses a wide spectrum of review areas using detailed questionnaires, risk/availability data points and design artefacts to accelerate the assessment and quickly develop a deep understanding of systems and risks;
  • Risk Focussed – it identifies current and future risks, rated by impact severity and probability;
  • Actionable – it produces prioritised actions and actionable mitigations that are ordered by benefit and complexity;
  • Constructive – proven models and decision support materials help stakeholders make well-informed and effective decisions to either accept risks or take action;
  • Tried & Tested – the framework and standard artefacts have been successfully used for more than 40+ client engagements and 200+ applications.

Citihub’s practitioners have deep financial services expertise across the whole of the IT stack. Using these skills, the approach is a structured engagement of stakeholders across (often) siloed functions: IT, Application Development, Operations, IT Sec and Risk. It embraces the observed best practices and international standards that are used by regulators as an assessment baseline (e.g. ISO27001 for Information Security as the baseline and the NCSC Cyber Risk Assessment as the minimum assessment bar). The assessment process uses an evidence-based method (e.g. architecture designs, asset registers, risk registers, help desk tickets and so on) as well as Citihub’s own experiences.


application risk assurance framework -


The outputs of the ARA are designed to position clients to avoid enforcement actions. Specifically, the deliverables highlight critical risks and their remediations providing a solid baseline and a well-defined plan of remedial actions.

After a number of high-profile IT outages at several large banks, regulators are being directed towards an increased focus on operational resilience. Partner Ian O’Hara discusses how Citihub Consulting is helping clients to mitigate application availability and resilience risks

Related Insights

Find out more about life at Citihub

about us