Four questions every Nigerian bank board should ask before approving a core migration - Businessday NG

Before a Nigerian bank board approves a core system migration, four questions can predict whether the programme will deliver zero downtime or trigger a regulatory event. Most boards approve migrations without asking any of them.

That is the gap the CBN’s Risk-Based Cybersecurity Framework has made visible. Since the framework came into force on 1 July 2024, unplanned IT outages in regulated institutions are reportable to the CBN within 24 hours, surface in the quarterly board cyber risk return, and feed the annual self-assessment due 28 February. The framework did not invent the operational risk. It changed who answers for it.

The cost of approving migrations without those four questions is documented. In Q4 2024, three Nigerian banks attempted core migrations in the same fortnight. Zenith Bank lost service for more than 48 hours during its Phoenix-to-Oracle Flexcube cutover. GTBank’s move to Finacle disrupted 32.8 million customers for close to ten days; federal government workers banking with GTBank received their October salaries the following month. Sterling Bank kept more than three million customers out of every banking channel for at least five days. Access Bank, scheduled to upgrade in the same fortnight, postponed and did not appear in the press cycle that followed. The difference was governance discipline at the point of approval.