This article was first published by Insurance Day in their Viewpoint section and subsequently also included in their Market Modernisation feature in February 2024.
Change is inevitable and our market is constantly managing a whole variety of change programmes, each with their own level of risk. Blueprint Two is certainly one of the larger programmes most of us will have experienced in our careers and brings with it the promise of many benefits in terms of improved data quality, reduced costs and increased resilience.
But the process of change itself does of course introduce significant risk. It becomes very easy to look forward and focus solely on the risks associated with the change. What happens if something doesn’t go to plan? How will we react? What impact might it have on our cashflow, or on the way we pay claim monies to customers? These are all great questions and ones that need to be considered collectively and individually. But as a market, we should not lose sight of why we are undertaking this programme of modernisation. It is precisely because of ‘risk’ – the risk that comes with continuing to rely on technology that pre-dates most of our careers, and as one colleague recently put it to me, pre-dates by a considerable period of time the technology we now all take for granted, our mobile phones. There is significant risk in the ongoing use of this very old technology not originally designed with the modern era in mind. That risk has now firmly tipped the balance scales in favour of the need for change.
So if we accept that doing nothing is not an option, we can focus on how we mitigate the risk associated with market modernisation and how we maximise our ability to cope with any disruption that does occur. As a market, we have collectively agreed change is necessary, so as individual firms, if we wish to continue being part of the London Market, we must play by the collective rules and common processes we have all chosen to abide with.
With that in mind, a lot of careful thought has gone into the design of Phase 1 to ensure, in so far as it is practicable to do so, that the level of change which market participants must adapt to is limited. But this remains a significant change event, both from a technology and process perspective. One that rightly involves our colleagues in risk functions.
It is clear that there is a wide range of disruption possible, with the scale spanning anything from the simple disruption arising from staff having to train for and adapt to new processes through to the far more significant possibility of system failure of some kind.
In our conversations with market participants, three key areas of risk associated with the change itself have generated the greatest level of focus. These are:
- Testing – strategy, scope and timeframes;
- The overall timelines for change, which are very tight;
- The risk of disruption and how that will be managed given it is likely to be market-wide, if it happens.
These are entirely understandable concerns given the scale and timings of the change and will be recognised by those running the programme centrally. The level of change for Phase 1 is being kept to a minimum, with significant investment being made in providing market firms with as much guidance, support and testing material as it is practical to deliver. Velonetic have continued to evolve the Blueprint Two website, with updated information recently added on a variety of topics, including EDI technical specifications, market training material, carrier checklists, quality assessment, assurance (QAA) and governance, Vanguard testing, and customer testing. In February, portal demonstrations and customer testing Q&A sessions are being hosted.
The onus is now very much on individual firms to assume accountability for their own readiness, utilising all the support and guidance that is being made available. Alongside the change itself, they need to consider their own internal governance process and the way they manage their internal risks and regulatory obligations.
Governance & Oversight
A wide-ranging change programme of this nature will almost certainly require board approval on the final go/no-go decision. And therein lies a conundrum – Phase 1 may well have a 1st July cutover date attached, but with the need for boards to sanction the change, the reality is that for most firms, that approval will need to be obtained a month or more ahead of time. With final testing yet to get fully underway for many firms, there is a feeling that time is against the market, but in reality, much has already been done centrally to ensure readiness.
Regulatory & Operational Readiness
The change programme itself may be driven by a need to deliver improved operational resilience and cost efficiencies. But the process of change brings the programme squarely within the perimeter of regulators – in the UK certainly, but also to some degree, internationally. Risk and compliance practitioners will need to consider the implications of the programme from a number of angles, paying specific regard to the Regulator’s work on:
- Outsourcing and Critical Third Parties; and
- Operational Resilience
The action taken by the PRA against the Chief Information Officer of TSB Bank for failures associated with their own (internal) programme of change will certainly be something that is within the contemplation of a number of accountable C-suite executives with a role to play in this programme. Blueprint Two introduces change across a number of Critical Third Parties, impacts several Important Business Services and has the potential to test Impact Tolerance levels. And with the action against the TSB, it is clear the Regulator will not tolerate a failure to plan.
It is no surprise then that overall operational readiness and the tight timeframes to complete testing have been regular topics of conversation. Seen through the lens of a risk professional, a group tasked with the specific responsibility to both identify operational risk and to help identify pathways to removing or mitigating those risks, Blueprint Two is a significant potential risk event.
Achieving Readiness
The question firms need to be asking themselves is what, for their organisation, does readiness look like? That will be a combination of:
- Satisfaction they have taken all appropriate actions to reduce the risks associated with the changes taking place; and
- Confidence they have maximised their ability to cope with any disruption that does arise.
There will be significant overlap in that picture of ‘readiness’ across firms, but risk tolerances and how firms conclude they need to approach contingency planning will differ based on the specific operating models, types of customer and types of business written by each business.
Market organisations such as the LMA, IUA, LIIBA and Lloyd’s are doing an excellent job in identifying common ground and ensuring member firms have a clear and common understanding of the issues.
Ultimately though, there can be no delegation of responsibility for the readiness assessment within individual firms. Each must answer the question for themselves. The key areas firms need to consider include:
- Governance and Oversight
- Impact Assessments
- Business Continuity Planning
- Risk Assessments
- Data Integrity, Privacy and Security
- Outsourcing/Third-Party Relationships
- Change Management
- Testing and Quality Assurance
- Cutover Plans
Conclusion
With a change of this scale, perfection rightly remains the ultimate objective, but finite budgets and resources, and competing priorities, make disruption of some magnitude inevitable. Readiness is a state where we have maximised our ability to deal with any disruption that does arise, with a lens that sees both the company and customer implications of such disruption. For any firm that is taking its own readiness seriously, that is very achievable and is the regulatory expectation.
Blueprint Two Assurance
If you are interested in understanding how ICSR could help your firm’s readiness for Phase 1 with a Blueprint Two healthcheck, speak with Benoit Steulet, Claire King or your usual ICSR contact.