Your App Is The Bank

Two banks run on the same cloud, the same vendors, the same regulators. One ships forty times a day without incident. The other takes its homepage down at 2 a.m. on a Tuesday and cannot explain why for fourteen hours.

What does the first one know?

Slow is not safe

You probably think moving slowly keeps regulated software safe. A decade of data from 39,000 engineers says the opposite.

The DORA research behind Accelerate shows that teams shipping small reversible batches daily post both higher stability AND fewer incidents than teams shipping quarterly. Slow is not safe. Slow is just slow, with more surface area for things to break.

Regulators moved the goalposts

Under the EU's Digital Operational Resilience Act (in force 17 January 2025) and the UK's Critical Third Parties regime (PS16/24, effective 1 January 2025), supervisors now expect to see traceable pipelines, not thick approval binders.

Policy documents are not the control. The pipeline is the control. Incident reporting windows in 2026 are now measured in minutes & hours.

The numbers that belong on your board deck

75%. Engineers using AI for at least one daily task, per Google Cloud's 2024 DORA Report. 39% do not trust what it produces. Stability has already dropped 7.2% where AI inflated batch sizes.

AI code is already in your production systems whether you sanctioned it or not. The only open question is whether it meets a standard your auditors can defend. Note that AI simply SCALES what your team members already know. 0 x AI is still 0. The biggest challenge with leveraging AI today is that people assume they can simply opine or use AI to decide on domains they do not understand. This can cause grave issues in organizations where both sides do not fully understand the domains they're working on.

What the leaders actually do

Picture a head of engineering at a mid-sized UK bank, watching the Capital One outage trend on LinkedIn while her own pager stays quiet. She knows what her board does not. Her payments pipeline has single points of failure. Compliance signed off because the documents looked fine.

A year earlier, she had started the unglamorous work. Small reversible releases. Feature flags. Observability dashboards that page engineers before customers tweet. Architecture Decision Records captured as rationale, not ritual.

When the next vendor power cut hits, her team rolls forward while the other bank writes the incident report.

The eight capabilities, one system

Shape and Build: Plan, Design, Code, Build.

Ship and Run: Test, Release, Observe, Operate.

The institutions pulling ahead treat these as one connected chain. The ones in the outage roundups are still optimising each box in isolation.

If you remember nothing else

Your app is your bank. Break one link, break the chain. DORA is the floor. Capability is the ceiling. The decade of competitive advantage ahead lives in the gap between the two + the implementation of a product discipline (over a project discipline). If you’re not familiar Products Over Projects, I would recommend the following article which provides an excellent overview: Products Over Projects.