Newsletter Old site

Newsletter Jan 2003

News update 030120: January 2003

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
( Comments and feedback to Unsubscribe by sending an email to Newsletter archived at

In this issue:
1. Corporate risk management
2. Crime 1: fraud
3. Crime 2: logic bomb
4. FSA update
5. Outsourcing
6. Newsletter information

1. Corporate risk management

“Managing Risk to Enhance Stakeholder Value” is a report out from
the International Federation of Accountants and the Chartered
Institute of Management Accountants. It consists of articles by and
interviews with senior corporate executives (and a few consultants)
on a variety of topics related to risk management. The interviews
(about half the total number of articles) are very readable, and
provide some interesting quotes:

“Corporate governance has made risk management very topical, but
you cannot go through the risk management process for those
reasons. You have to do it because it helps the business.”
Bill Connell, BOC.

“Businesses now get killed off because of reputation risk. They
don’t get killed off because the fixed assets are wrong.”
James Duckworth, Unilever.

From the operational risk point of view, the interest lies mainly
in an interview with Kevin Hayes of Lehman Brothers on managing
business interruption, and an article by Robin Mathieson on dealing
with information risk. Overall, the emphasis is very much on large
corporations, but unlike many publications it really doesn’t have a
banking bias.

There is also a very comprehensive list of references and further

Report available at:

2. Crime 1: fraud

John Rusnak, the fraudster at Allied Irish Banks’ former US
subsidiary, Allfirst Financial, has been sentenced to seven and a
half years in prison and a $60,000 fine ($1,000 a month for five
years after his release). This sentence is longer than Nick
Leeson’s, and some commentators have said that this reflects a
tougher attitude to white collar crime. However, given that the two
rogue traders were sentenced under different jurisdictions (USA and
Singapore), it’s difficult to draw any conclusions on this one.

Moreover, it seems unlikely that the threat of longer prison
sentences is actually going to deter any potential
fraudsters. After all, how many of them carry out a rigorous risk
analysis in advance, weighing up the potential profits against the
probability and impact of getting caught?

As you may recall, the Ludwig report on the whole episode, released
back in March 2002, concluded that Rusnak planned the fraud
carefully and implemented it meticulously, but that Allfirst had
weak controls and poor risk management practices, in this area at
least. The net result was a loss of $691m to Allfirst. Some of this
may be genuine trading loss, but a large portion of it is surely a
loss due to operational risk.

The Ludwig report is available from:

FT report on the sentencing:

(If your mailer has broken these ridiculously long URLs into
several pieces, you may need to paste them back together again in
your browser address bar.)

3. Crime 2: logic bomb

On 17th December Roger Duronio, an ex-employee of UBS PaineWebber
in New Jersey, was charged with using a logic bomb to destroy files
on the financial services company’s network. The story goes that
Duronio, a systems administrator, was unhappy with his salary and
bonuses. He resigned from the company on February 22nd, and on
March 4th files on over 1,000 of PaineWebber’s computers were
destroyed. The total cost to the company was apparently over $3
million. Duronio is also accused of buying put options on the
parent company’s shares, expecting to make a profit when the news
of the computer problems became known, causing the share price to
fall. Apparently this bit didn’t work.

There are some interesting points about this story from an
operational risk point of view. First, as the Information Week
article referenced below points out, there comes a point where you
just have to trust people. Systems administrators are nearly always
beyond that point. It’s very rare for all the changes they make to
be checked by another person. There is a case to be made that this
shouldn’t be the case, at least for some of the things they do.

Second, the scale of the logic bomb (affecting 1,000 machines) was
probably due to the fact that Duronio was a systems administrator,
and had privileged access to servers and the network. However, a
spreadsheet user could easily wreak havoc on a smaller scale simply
by using VB code. I won’t go into the details for obvious reasons!
On the other hand, it is easy to put good control mechanisms in for
end user computing, such as spreadsheets or personal databases,
through standard development processes. It is good practice to have
all changes reviewed by somebody else anyway, in order to reduce
the chance of bugs.

Third, as I mentioned in the context of the Rusnak story in item 1,
the threat of a prison sentence probably isn’t going to deter this
sort of behaviour. Good risk management controls can make it a lot
less likely, though.

Information Week article:

Press release:

4. FSA update

There’s a new Occasional Paper: Managing Risk: Practical lessons
from recent “failures” of EU insurers, available at It’s a fascinating
read. Although first impressions are usually that the causes of
failure are underwriting or reserving risk, deeper study almost
always implicates management failures, and often operational
risk. Big problems are caused by complex interactions between
risks, including causal links between different types of risk and
unexpected correlations.

The feedback to CP140 has been published, available at There are no material
changes to the text in CP140, but some drafting changes were made
in response to specific comments. The guidance will take effect
from 1st February 2003. For insurers, the effect is to add a new
guidance note, P.3, to the interim sourcebook. For Friendly
Societies and Lloyd’s, the effect is to add requirements to have
regard to the provisions of P.3.

P.3 covers systems and controls, including:
– High level controls
– Risk management
– Risk assessment function
– Legal risk
– Internal audit
– Management information
– Outsourcing
– Group risk

New consultation and discussion papers out this month:
CP161 Consultation on funding the Financial Ombudsman Service in
2003/2004 and exemptions from DISP
CP162 Financial Services Compensation Scheme Management Expenses
Levy Limit – Period: 1 April 2003 to 31 March 2004
CP163 The UCITS Management Directive – A Joint Consultation
CP164 Investment companies (including Investment trusts) –
Proposed changes to the Listing Rules and the Conduct of
Business Rules Changes to the Model Code
CP165 Miscellaneous amendments to the Handbook (No.6)

DP19 Options for regulating the sale of “simplified investment

Feedback published this month:
CP140 The Interim Prudential sourcebooks for Insurers and
Friendly Societies and the Lloyd’s sourcebook: Guidance
on Systems and controls
CP144 A new regulatory approach to insurance firms’ use of
financial engineering – proposed changes to the regulatory
returns for life insurers

DP11 Cross-sector risk transfers

Current consultations, with dates by which responses should be
received by the FSA, are listed at

5. Outsourcing

You may be able to outsource a function, but you can’t outsource
the responsibility. I outsourced the supply of my Christmas
presents this year; I fulfilled my side of the bargain, by ordering
before the last date specified on the web site (well, on the last
date to be strictly accurate), and made use of my outsourcer’s
information systems to track delivery. Imagine my surprise when I
was told that although the books hadn’t been dispatched yet, the
expected delivery date was two days in the past. I know Amazon is
technically advanced, but time travel is something else.

The moral of the story: you need to be able to trust all aspects of
the outsourcer’s services, including their information systems.

(And, luckily for me, the books did arrive on Christmas Eve, and
all my family are still speaking to me).

6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
( Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email To
unsubscribe, email All comments,
feedback and other queries to Archives