Read my blog.

Is your software use Competent, Complacent or Compromised? Take my 30 second quiz now, and find out!

Browse my collection of notes on hot topics in user developed software, spreadsheets and risk.

New

Tools download a simple code profiler for Excel VBA.

 

XLSior logo

Automated spreadsheet testing, documentation and more.

Download now, or find out more at http://www.xlsior.com.

 

Google

Search WWW
Search louisepryor.com

Newsletter: issue 041028

News update 2004-10: October 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com). 

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don't want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
   1. Spitzer risk
   2. Getting rid of risk
   3. FSA update
   4. You don't have to be a rocket scientist
   5. Newsletter information

===============
1. Spitzer risk

   There is a new component of operational risk: Spitzer risk, the
   risk that Eliot Spitzer will launch an investigation into your
   industry, attacking widely accepted ways of doing business. 

   A simplified summary of the current investigation: Some insurance
   brokers accept contingent commissions from the insurers with whom
   they place business. These are based on the volume of business they
   place with that insurers. The brokers therefore have an incentive
   to place business with insurers who offer these commissions, even
   if they are not offering the best rates. Their interests are thus
   not fully aligned with those of their clients. Moreover, it is
   claimed that at least one broker asked insurers to submit dummy
   quotes, so that the quote that would give them the incentive
   commission would appear to be the cheapest.

   The effects of Spitzer's investigation are being felt much more
   widely than the particular brokers against whom a suit has been
   filed. A number of firms have said that they will stop accepting
   contingent commissions. Share prices in brokers have fallen. Credit
   ratings have been cut. Share prices in some insurers have fallen,
   at least partly due to the fear that they will have to bear
   extensive legal costs. The scope of the investigation is
   broadening. 

   These effects aren't limited to the USA; insurance broking is a
   global business and there are fears that abuse may be present in
   the UK market as well. The FSA don't regulate insurance brokers
   until 1st of January; there is no indication as to whether they
   will launch an investigation in this country.

   Potential losses to individual firms from Spitzer risk include
   legal costs, potential fines, loss of revenue (no more juicy
   contingent commissions in this case), losses due to lower credit
   ratings and opportunity costs of spending management time on coping
   with the fall-out or on developing new business models. There may
   also be more general reputational damage. Many of these costs are
   incurred by firms that are not directly involved as well as those
   that are.

   How should firms manage Spitzer risk?  It's tricky. Once it
   happens, ie once Spitzer (or someone else) has launched an
   investigation into some aspect of your industry, or one closely
   connected with it, you should add it to your risk register and try
   to handle the fall-out as best you can. Hence those brokers who
   have said that they will stop accepting contingent
   commissions. Even in this case you have to be aware of the
   potentially widespread effects.

   But how do you identify a Spitzer risk before it happens? There you
   are, doing business in the normal way, just like everyone else in
   your industry: how can you tell if some part of normal business
   practice is likely to be considered worthy of investigation by a
   regulator? And not necessarily your own regulator, either?  You
   really have to think outside the box. Is there any aspect of your
   business that you wouldn't like to have to explain and justify to a
   hostile journalist? (Or other interrogator). Or any aspect that can
   be described as "just the way things are done", but isn't how you'd
   do it if you were starting from scratch?

   But it's very difficult to step back and see things as an
   outsider. And how can you tell which aspects somebody else might
   pick up on? It's all part of coping with a changing context. What
   was accepted 50 or even 20 years ago may not be acceptable now,
   with the increased emphasis on openness and transparency.
   
===============
2. Getting rid of risk

   Outsourcing, both explicit and implicit, will always be a source of
   risk. Sometimes you just don't have a choice of whether to
   outsource or not, but the risk is still there.

   For example, it's not really practical to compile your own real
   time market data. You have to use one of the major suppliers, such
   as Reuters. But that means you depend on them, and if something
   goes wrong you suffer. A couple of weeks ago a circuit breaker
   failed at the Reuters Global Technical Centre in London (GTC-L). It
   caused disruption to about 25% of the systems supported from the
   building riser that was affected. An hour or so after the
   first incident a second riser failed due to overloading, which
   meant that two out of the four risers supporting GTC-L lost
   power. The data feed was eventually down for about 10 hours. There
   was nothing that Reuters' customers could do about it.

   http://www.finextra.com/fullstory.asp?id=12678
   http://www.computerweekly.com/Article134316.htm
 
   There has been a steady stream of scare stories about the risks of
   outsourcing call centres offshore: operators offering unauthorised
   credit to customers, and criminal gangs organising operators to
   commit fraud against customers. Apparently some call centres are
   not fully complying with the Data Protection Act, either. 

   However, the outsourcer is the party that is subject to the Data
   Protection Act, as the Data Controller, so it's the outsourcer's
   duty to ensure compliance.  If there are problems, they will come
   home to roost with the outsourcer, either as specific losses or as
   reputational damage, and quite possibly both. You just can't get
   rid of the risk.

   http://tinyurl.com/3p2ln
   
   Here's another risk that you can't evade. Apparently many managers
   are worrying about the increasing use of instant messaging
   (IM). People use it to avoid the content filtering and monitoring
   that is applied to email, believing that it is exempt from
   compliance regulations such as Sarbanes-Oxley and Basel II. Of
   course it's not: it's a communication just as much as emails and
   telephone conversations are.

   Many companies have banned it, as a security and compliance risk,
   but the ban is extremely difficult to enforce. (From the technical
   point of view it's hard to distinguish IM traffic from other,
   authorised, web traffic).

   So whatever you do, you are still left with the risk. You ban IM,
   people use it, you run into compliance problems... it's no use
   saying "not my fault guv."

   http://news.zdnet.co.uk/internet/security/0,39020375,39170374,00.htm

===============
3. FSA update

   Back in December 2003 the FSA issued a Discussion Paper on fraud -
   DP26: Developing our policy on fraud and dishonesty. It is
   available at http://www.fsa.gov.uk/pubs/discussion/26/index.html.
   In a recent speech Philip Robinson outlined the conclusions that
   have been reached, and described the FSA's new approach, called
   Fighting Fraud in Partnership. The speech is available at
   http://www.fsa.gov.uk/pubs/speeches/sp208.html. 

   From a risk management point of view, fraud is a significant
   component of operational risk. Apart from the rare, high profile,
   high loss cases such as BCCI and Barings, there is a great deal of
   high frequency, low impact fraud.  The ABI estimates that fraud
   losses account for 3.7% of all insurance premiums, for example.

   Robinson said that firms are not taking fraud as seriously as they
   might. "But even when fraud mitigation is good business, it doesn't
   always follow that a firm will do it well. A project that we did
   recently on insurance claimant fraud threw this into sharp relief
   for me. In thirty small and medium-sized firms who responded to our
   survey, every £1 they spent on fraud prevention yielded £3.80 in
   savings; and yet fraud budgets were tight, with 71% of the firms
   having no earmarked fraud budget at all."

   New consultation and discussion papers out this month:
   -----------------------------------------------------

   CP04/15  Quarterly consultation (No. 2)
   CP04/16  The Listing Review and implementation of the Prospectus
            Directive - Draft rules and feedback on CP203 

   Feedback published this month:
   -----------------------------
 
   CP203    See CP04/16 above
   PS04/21  Regulatory fees relating to mortgage and insurance
            mediation regulation - Feedback on CP04/4 and CP04/9 and
            made text  

   Current consultations, with dates by which responses should be
   received by the FSA, are listed at
   http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. You don't have to be a rocket scientist

   Maybe you remember all the excitement back in September about the
   Genesis space probe, which was going to be grabbed by stunt pilots
   as it parachuted to earth. Unfortunately the parachutes didn't
   open.  We now know that the switches that were to trigger the
   parachute were installed upside down. It appears that the design
   drawings were faulty.

   http://www.newscientist.com/news/news.jsp?id=ns99996541

   This is a superb example that everything has to be right for things
   to work: in this case, the implementation was OK but the
   specification was wrong. This principle applies to financial models
   as well as spacecraft. I gave a talk at the GIRO conference (annual
   convention of general insurance actuaries in the UK) a couple of
   weeks ago about how to believe your models. The slides are
   available from http://www.louisepryor.com/show.do?page=articles.

   You may not have to be a rocket scientist to operate a fax machine,
   but it seems that being a lawyer isn't always good enough. A lawyer
   put a 100 page document in the fax machine the wrong way up,
   and so faxed 100 blank pages through to the destination. The
   document wasn't received by a deadline, and an appeal succeeded
   against fines worth 100m euros.

   http://news.zdnet.co.uk/business/legal/0,39020651,39170375,00.htm

   A new version of the World Bank Technology Risk Checklist is
   out. From the introduction: "The World Bank Technology Risk
   Checklist is designed to provide Chief Information Security
   Officers (CISO), Chief Technology Officers (CTO), Chief Financial
   Officers (CFO), Directors, Risk Managers and Systems Administrators
   with a way of measuring and validating the level of security within
   a particular organization."

   It's available from
   http://www.infragard.net/library/pdfs/technologyrisklist.pdf
   Strangely, I haven't been able to track it down at the World Bank
   site. Maybe it's a fake. But it looks as if it may be useful,
   anyway.

===============
5. Newsletter information

   This newsletter is issued approximately monthly by Louise Pryor
   (http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
   rights reserved. You may distribute it in whole or in part as long
   as this notice is included. To subscribe, email
   news-subscribe@louisepryor.com. To unsubscribe, email
   news-unsubscribe@louisepryor.com. All comments, feedback and other
   queries to news-admin@louisepryor.com. Archives at
   http://www.louisepryor.com/newsArchive.do.
Copyright © 2003-2008 Louise Pryor. All rights reserved. Site developed by Louise Pryor.
Louise Pryor is no longer practising as a consultant — the site is maintained as an archive, and is not updated.