UK Treasury Committee to Focus Regulators on System Availability and Cloud Concentration Risk

How Citihub Consulting helps clients assess and mitigate resilience risks

On the 28th October, The Treasury Committee issued the findings of its investigations into a string of high-profile IT outages in the UK’s financial services sector. The report directs regulators to intervene to improve the operational resilience of systemically important systems. This is expected to include:

  • Increased levies to fund a recruitment drive that will enable regulators to focus on the specific challenges of IT resilience;
  • Expanding the Senior Managers regime to include Financial Market Infrastructure firms (e.g. those that provide payments systems);
  • A specific focus on the concentration risks associated with third-party providers (the report specifically highlights cloud services providers).

Several things stand out. Firstly, the report highlights that the cost and complexity of system upgrades cannot be used as an excuse for not replacing legacy systems. It directs regulators to make specific interventions to ensure that customers are not exposed to the inherent risks associated with these legacy systems. Secondly, the identification of the concentration risk with, and the systemic importance of, the CSP market is a first. Furthermore, it is supported by the strong suggestion that it may now be necessary to regulate the operational resilience of CSPs.

Interested to know more about our Application Risk Assurance framework?

Request more information

The implications will be far-reaching both in terms of the operational resilience programmes that most financial services firms are mobilising but also how replacements for legacy systems are engineered, sourced and provisioned. Since 2007, Citihub Consulting has worked extensively with leading financial institutions to proactively identify and mitigate Application Availability Risk. Or proprietary Application Availability Assessment (AAA) methodology has been used across the street to assess systemic risks in 200+ mission critical applications and to scope, prioritise and fund mitigation. In 2018, AAA was developed further and has now become Application Risk Assurance (ARA) to recognise the changing focus and priorities of both regulators and institutions, and to combine client feedback and the experiences of the Citihub Consulting team.

The ARA’s philosophy is:

  • Holistic – it considers the entire IT stack crossing the boundaries between application and infrastructure and spanning all aspects of people, process and technology;
  • Rapid – it encompasses a wide spectrum of review areas using detailed questionnaires, risk/availability data points and design artefacts to accelerate the assessment and quickly develop a deep understanding of systems and risks;
  • Risk Focussed – it identifies current and future risks, rated by impact severity and probability;
  • Actionable – it produces prioritised actions and actionable mitigations that are ordered by benefit and complexity;
  • Constructive – proven models and decision support materials help stakeholders make well-informed and effective decisions to either accept risks or take action;
  • Tried & Tested – the framework and standard artefacts have been successfully used for more than 40+ client engagements and 200+ applications.

Citihub Consulting’s practitioners have deep financial services expertise across the whole of the IT stack. Using these skills, the approach is a structured engagement of stakeholders across (often) siloed functions: IT, Application Development, Operations, IT Sec and Risk. It embraces the observed best practices and international standards that are used by regulators as an assessment baseline (e.g. ISO27001 for Information Security as the baseline and the NCSC Cyber Risk Assessment as the minimum assessment bar). The assessment process uses an evidence-based method (e.g. architecture designs, asset registers, risk registers, help desk tickets and so on) as well as Citihub Consulting’s own experiences.


application risk assurance framework -


The outputs of the ARA are designed to position clients to avoid enforcement actions. Specifically, the deliverables highlight critical risks and their remediations providing a solid baseline and a well-defined plan of remedial actions.

Want to know more about Application Risk Assurance?


Ian O'Hara

Ian O'Hara


Ian brings a wealth of cross-industry technology experience to our clients and specialises in the commercial aspect of IT, including a deep knowledge of the data centre and managed services industries around the world.