The Australian Securities Exchange (ASX) experienced "software issues" when it went live with the refresh of its trade equity platform in November last year, causing the exchange to pause trade.
At the time, the exchange said its technology provider Nasdaq, as well as customers and independent specialist third parties, conducted extensive testing for over a year on the ASX Trade system, including four dress rehearsals, in preparation for sending it out in the wild.
The tech used, it said, was the latest generation of a Nasdaq-developed trading system used around the world.
Following the outage, the Reserve Bank of Australia (RBA) and the Australian Securities and Investments Commission (ASIC) requested an independent review, and the ASX saw fit to hand this responsibility to IBM.
Never forget: IBM lambasted by ABS for failing to handle Census DDoS
On Monday, IBM served the ASX with 17 recommendations and found a number of shortcomings in the project, such as noting the trade platform was not ready for go-live.
"Factors that suggested the ASX Trade system was not ready to go-live considering ASX's near zero appetite for service disruption. This was the case even though the formal implementation readiness processes were completed and verified by multiple parties without objection to go-live," IBM found.
"There were gaps in the rigour applied to the project delivery risk and issue management process expected for a project of this nature, and risk and issue management, project compliance to ASX practices, project requirements and the project test strategy/planning did not meet accepted industry practices.
"It was not reasonable to expect the test plan used would meet the ASX's near zero appetite for service disruption."
According to Big Blue, there were seven factors that suggested the platform was not ready for go-live, which included historical software product quality indicators, additional testing needs being noted, the quantity of open defects, gaps in end-to-end test coverage, proximity to year-end change freeze windows for participants, risk likelihood ratings, and a lack of evidence of challenges to the risk rating or to go-live.
"Last November's market outage fell short of ASX's high standards," ASX MD and CEO Dominic Stevens said on Monday. "We believed that the software was ready for go-live, as did our technology provider Nasdaq. Clearly there were issues, which was particularly disappointing given the significant progress we have made on resilience in recent years."
IBM also concluded the project could have benefited from additional and independent scrutiny.
It determined there were gaps in the rigour applied to the project delivery risk and issue management process, such as opportunities to identify additional risks being missed, differences between project delivery risk templates and the enterprise delivery risk processes, the project not receiving risk resources with greater experience in technical projects that it would have benefitted from, and governance being shifted to a group that had a wide range of responsibilities.
"The shift diluted attention given to the project," IBM said.
The review found some positives, however, with IBM saying the ASX met or exceeded leading industry practices in 58 out of 75 of the capabilities assessed.
"We acknowledge the findings in the report. It's pleasing that ASX met or exceeded leading industry practices in most areas. But the report does point to some important areas for improvement and we will address all of its recommendations," Stevens added.
"ASX is well advanced in developing a detailed response plan for execution over the next 12 to 18 months, and we'll commission the independent expert to review our actions to meet its recommendations. Our delivery of this program of work will be under the oversight of ASIC and the RBA."
IBM said the project's business case development and project change management exceeded accepted practices; that the project was provided with, and had access to, sufficient financial, time, people, and technological resources at all stages of delivery to meet its objectives; that communications with key stakeholders were appropriately managed by the ASX, and said incident management actions taken by the exchange were appropriate.
The exchange in 2018 was asked to up its risk management practices following an "unprecedented" hardware failure in September 2016 that resulted in the outage of its equity market. According to ASIC, the actions taken by ASX during the 2020 incident were appropriate and reflected the lessons learned from the 2016 incident.
"ASX takes the resilience and reliability of its markets extremely seriously. That's why we immediately engaged with our regulators to commission this external review and will address all of its recommendations. It's also why we've already taken action to change our project delivery practices," Stevens continued.
"The changes we've made to our management structure are aligned to these objectives.
"Driving technological change is hard and creates transition risk. No market will operate without incidents or outages from time to time. Nevertheless, all outages are regrettable."
The regulators expect ASX to apply the insights from IBM's findings across the exchange to ensure existing and proposed projects, including the CHESS replacement program, are managed and implemented appropriately.
ASIC is also undertaking a separate investigation into the ASX Trade outage to determine whether ASX met its obligations under its Australian Market Licence.