Viewpoint: Blueprint Two is a significant potential risk event

The process of change itself introduces significant risk. It becomes very easy to look forward and focus solely on the risks associated with the change. What happens if something fails to go to plan? How will we react? What impact might it have on our cashflow, or on the way we pay claim monies to customers?

These are all great questions and ones that need to be considered collectively and individually but, as a market, we should not lose sight of why we are undertaking this programme of modernisation. 

This change is happening precisely because of “risk” – the risk that comes with continuing to rely on technology that pre-dates most of our careers. As one colleague recently put it to us, it pre-dates by a considerable period of time the technology we now all take for granted, our mobile phones.

There is significant risk in the ongoing use of this very old technology not originally designed with the modern era in mind. That risk has now firmly tipped the balance scales in favour of the need for change.

So, if we accept that doing nothing is not an option, we can focus on how we mitigate the risk associated with market modernisation and how we maximise our ability to cope with any disruption that does occur. As a market, we have collectively agreed change is necessary, so as individual firms, if we wish to continue being part of the London market, we must play by the collective rules and common processes we have all chosen to abide by.

With that in mind, a lot of careful thought has gone into the design of phase one to ensure, in so far as it is practicable to do so, that the level of change market participants must adapt to is limited. But this remains a significant change event, both from the technology and process perspectives, and is one that rightly involves our colleagues in risk functions.

It is clear there is a wide range of disruption possible, with the scale spanning anything from staff having to train for and adapt to new processes, through to the far more significant possibility of system failure of some kind.

Key focus areas

In our conversations with market participants, three key areas of risk associated with the change itself have generated the greatest level of focus. These are: testing – strategy, scope and timeframes; the overall timelines for change, which are very tight; and the risk of disruption and how that will be managed given that, if it happens, it is likely to be market-wide.

These are entirely understandable concerns given the scale and timings of the change and will be recognised by those running the programme centrally. The level of change for phase one is being kept to a minimum, with significant investment being made in providing market firms with as much guidance, support and testing material as it is practicable to deliver.

Velonetic has continued to evolve the Blueprint Two website, with updated information recently added on a variety of topics, including electronic data interchange technical specifications, market training material, carrier checklists, quality assessment, assurance and governance, Vanguard testing, and customer testing. In February, portal demonstrations and customer testing Q&A sessions are being hosted.

The onus now is very much on individual firms to assume accountability for their own readiness, making use of all the support and guidance that is being made available. Alongside the change itself, they need to consider their own internal governance process and the way they manage their internal risks and regulatory obligations.

A wide-ranging change programme of this nature will almost certainly require board approval on the final go/no-go decision. And therein lies a conundrum – phase one may well have a July 1 cutover date attached, but with the need for boards to sanction the change, the reality is that, for most firms, this approval will need to be obtained a month or more ahead of that date. With final testing yet to get fully under way for many firms, there is a feeling that time is against the market but, in reality, much has already been done centrally to ensure readiness.

Regulatory and operational readiness

The change programme itself may be driven by a need to deliver improved operational resilience and cost efficiencies. The process of change, however, brings the programme squarely within the perimeter of regulators – certainly in the UK, but also, to some degree, internationally. 

Risk and compliance practitioners will need to consider the implications of the programme from a number of angles, paying specific regard to the given regulator’s work on outsourcing and critical third parties, and operational resilience.

The action taken by the Prudential Regulation Authority (PRA) against the chief information officer of TSB Bank for failures associated with their own, internal programme of change will certainly be on the minds of a number of accountable C-suite executives with a role to play in this programme.

If we accept that doing nothing is not an option, we can focus on how we mitigate the risk associated with market modernisation and how we maximise our ability to cope with any disruption that does occur

Blueprint Two introduces change across a number of critical third parties, impacts several important business services and has the potential to test impact tolerance levels. And with the action against the TSB, it is clear the PRA will not tolerate a failure to plan.

It is no surprise then, that overall operational readiness and the tight timeframes to complete testing have been regular topics of conversation. Seen through the lens of a risk professional, a group tasked with the specific responsibility to both identify operational risk and to help identify pathways to removing or mitigating those risks, Blueprint Two is a significant potential risk event.

Achieving readiness

The question firms need to be asking themselves is, what does readiness look like for their organisation? This will be a combination of satisfaction they have taken all appropriate actions to reduce the risks associated with the changes taking place; and confidence they have maximised their ability to cope with any disruption that does arise.

There will be significant overlap in that picture of "readiness" across firms, but risk tolerances and how firms conclude they need to approach contingency planning will differ based on the specific operating models, types of customer and types of business written by each business.

Market organisations such as the Lloyd’s Market Association, the International Underwriting Association, London & International Insurance Brokers' Association, and Lloyd’s are doing an excellent job in identifying common ground and ensuring member firms have a clear and common understanding of the issues.

Ultimately though, there can be no delegation of responsibility for the readiness assessment within individual firms. Each must answer the question for themselves. The key areas firms need to consider include: governance and oversight; impact assessments; business continuity planning; risk assessments; data integrity, privacy and security; outsourcing/third-party relationships; change management; testing and quality assurance; and cutover plans.

With a change of this scale, perfection rightly remains the ultimate objective, but finite budgets and resources, and competing priorities, make disruption of some magnitude inevitable. Readiness is a state where we have maximised our ability to deal with any disruption that does arise, with a lens that sees both the company and customer implications of such disruption. For any firm that is taking its own readiness seriously, that is very achievable and it is the regulatory expectation.

Benoit Steulet is operations director and Claire King is risk and compliance director at ICSR