Yesterday, DBS released a statement which said that it has rolled out a comprehensive roadmap to improve technology resiliency, with both immediate and longer-term measures to strengthen technology governance, people/leadership, systems and processes.
It also disclosed that Accenture was appointed to carry out a root cause investigation of the March incident which was subsequently extended to the May incident. It said that the review was completed in August and corroborated against recent disruptions on 26 September, 14 October and 20 October.
To my knowledge, this is the first time that DBS has disclosed the completion of the Accenture review in August and provided a summary of the key thematic areas for improvement, Accenture’s key recommendations and actions already taken or being undertaken.
There must be questions as to whether sufficient urgency was put into implementing the recommendations following the earlier incidents.
For example, it was only yesterday evening that it laid out its roadmap to improve technology resilience and the appointment of 2 advisors of the special board committee convened in March 2023 to its newly constituted BRMC Technology Risk Committee, a subcommittee of the BRMC.
Further, as a DBS customer, I take no comfort when the company talks about longer term measures and its assurance of improved service reliability when the roadmap is completed. There is mention of an expected 12-24 months to fully implement certain improvements which are more structural in nature (including strengthening system resilience and tightening processes around change management) but it is not clear to me when the entire roadmap will be completed. Customers may have to brace themselves for more incidents and long recovery periods for some time yet.
The bank will set aside a special budget of SGD80 million to enhance system resiliency. In the context of a bank as large as DBS, it’s an open question as to whether this is anywhere near enough (it’s about 5 times the total FY2022 remuneration of the CEO).
The board said that senior management will be held accountable and this will be reflected in their remuneration. But how will the board be held accountable? The board does not manage operations but it has the responsibility for ensuring a robust three lines in risk management. And in this case, it seems quite clear that there are major failures in the three lines. What will ultimately be the impact on senior management remuneration and whether this is sufficient to ensure that they have a laser focus on technology resilience remain to be seen.
There is the question as to the lack of financial penalties imposed on DBS. I guess that would only hurt shareholders and may have a minimal impact on the profit used to determine senior management remuneration (unless such penalties can lead to significant forfeitures or clawbacks of remuneration under the remuneration policy).
Ultimately, both the board and senior management are accountable for what has happened.