Newsletter Feb 2003

News update 2003-02: February 2003

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
( Comments and feedback to Unsubscribe by sending an email to Newsletter archived at

In this issue:
1. Business continuity 1: GAO report
2. Business continuity 2: FSA and tripartite web site
3. Worms and patches
4. FSA update
5. Business continuity 3: Testing
6. Newsletter information

1. Business continuity 1: GAO report

Just the other week the GAO released a report entitled “Potential
Terrorist Attacks: Additional Actions Needed to Better Prepare
Critical Financial Market Participants”. The GAO is the United
States General Accounting Office, and is the investigative arm of

The report is a very interesting read. It analyses the effects of
the World Trade Center attacks, and describes the steps that were
taken to resume normal operations in the financial markets
afterwards. It then presents the results of a review of the
business continuity plans of 15 organisations that undertake
trading or clearing. Although many lessons were learned from the
WTC attacks, some of them have not been taken to heart: in a number
of cases, backup sites are close to the sites they would replace,
and the problem of non-availability of key staff has not been

Some of the specific points in the report are irrelevant to
organisations whose business is not in trading or clearing, but
many of the lessons are more general and are useful to everyone.

The GAO report is available at

2. Business continuity 2: FSA and tripartite web site

Coincidentally, the same week also saw the second Annual Conference
for Business Continuity and Disaster Recovery in the Financial
Services Sector. One of the speakers was Michael Foot, of the
FSA. He emphasised the importance of business continuity
arrangements, both for the continuing operations of trading and
clearing and for individual firms. The press release describing
Michael Foot’s remarks is at

There are two sources of guidance from the FSA on business
continuity. CP142, Operational risk systems and controls, was
issued in July 2002, with comments due by 31 October 2002. The
response to the consultation is expected in a few weeks. CP142 is

The FSA, together with the Bank of England and HM Treasury, are
joint sponsors of the tripartite web site on on UK Financial Sector
Continuity planning, at The site
includes an FSA report: A Review of Business Continuity Management
in Major Financial Groups Post 11 September 2001. It was published
in September 2002.

Some of the points in this report reflect general themes of the
FSA’s risk-based approach to regulation. It is always important to
remember that the risks that the FSA has in mind are the risks to
its objectives (RTOs). In this case, the objectives under threat
are those referring to market confidence and consumer
protection. The FSA is not worried by business failure as such,
unless its objectives are threatened. This means that their
guidance should not be seen as comprehensive.

Another theme that emerges strongly is the need for senior
management to take responsibility. We see this over and over again
in reports and guidance issued by the FSA, and it’s an issue that
should be taken seriously.

From my point of view it was interesting to see specific questions
in the review about whether and how critical bespoke applications/
spreadsheets/databases are identified and included in IT disaster
recovery plans. Given the number of mission-critical functions that
use spreadsheets and other user-developed systems, this is clearly
vital. It should also be considered as part of the regular back-up

One of the most useful parts of the report is the BCM risk matrix
on pages 17 to 32. It summarises the critical issues and risk
factors, together with observed standard and good practice.

And, finally on this topic, the FSA’s report on the Financial Risk
Outlook for 2003 identifies the threat of a major terrorist attack
on London or another financial centre, and the need for firms to
have adequate business continuity arrangements in place, as a
priority risk. The report was issued in January 2003, and is at

3. Worms and patches

If you were trying to surf the web at any time during the last
weekend in January you may have found the process unbearably
slow. This was because of a computer worm (or virus; descriptions
vary) that attacked a Microsoft SQLServer vulnerability. The
vulnerability was not new, and Microsoft had already issued a patch
for it. Ironically, some of Microsoft’s own servers were affected
by the worm; they hadn’t installed the patch.

The issue of software patches is an important one. First, it’s
difficult to keep on top of all the patches that are
released. Second, it’s often a painful process installing
them. They may have poor documentation and confusing instructions,
and there are often complex rules about whether the patch is
applicable or not. Third, sometimes installing a patch can stop
other things working.

So saying “we released a patch; we’re not to blame” is not
enough. Better not to have the problem in the first place than to
patch it later.

By the way, this applies at the more lowly level of spreadsheets
and other user-developed software too. Keep the bugs out in the
first place; don’t rely on issuing revised versions and expecting
all the users to update. They won’t.

4. FSA update

The FSA has announced that it intends to review all insurance
companies (with the exception of low impact firms) by the end of
March 2003. This is an acceleration of the timetable. In many cases
this will be a desk-based review; in other words, no-one from the
FSA will actually visit the firm under review, but they will sit at
their desks and ask for information. This is all part of the
general worry about insurance companies at the moment, because of
the “particular stress” they are under as a result of the current
market conditions.

The announcement refers to a new document, “The firm risk
assessment framework”, that was published only a week later. This
is essential reading for anyone who will be involved in a review by
the FSA. It describes how the review process works, with plenty of
helpful examples. This is the latest document in the “Building the
new Regulator series”, and builds on and clarifies the earlier
documents in the series. It is available at See also for a brief
description of the ARROW risk assessment framework.

New consultation and discussion papers out this month:

CP166 Reforming Polarisation: Removing the barriers to choice –
Including feedback on CP121
CP167 With-profits governance, the role of actuaries in life
insurers, and certification of insurance returns
CP168 Fees 2003/4
CP169 Professional Indemnity Insurance for personal investment
firms – consultation on rule changes; and discussion of
other policy options
CP170 Informing consumers: product disclosure at the point of
CP171 Conflicts of Interest: Investment Research and Issues
of Securities

DP20 Issues for with-profits business arising from the Sandler

Feedback published this month:

CP138 Disclosure of status under the Financial Services and
Markets Act 2000 and use of the FSA logo
CP158 Mortgage endowment complaints: Changes to time limits for
making a complaint

DP14 Review of the Listing Regime

Current consultations, with dates by which responses should be
received by the FSA, are listed at

5. Business continuity 3: Testing

Of course it’s not only in cases of huge natural disasters that
business continuity becomes an issue. Minor natural glitches play
their part too, and the recent snow in the South East provided some
real life testing for some people. The main problem, apparently
(there were no problems in Edinburgh, but then there was no snow
either), was that the roads and railways weren’t working. In any
large scale disaster this is likely to be a problem too (see the
GAO report referred to in item 1). The FSA report discussed in item
2 stresses the importance of testing business continuity plans.

One of my informants used the opportunity to check out the
contingency plan of working at home. He told me that the vital
facilities were: a high speed internet connection so he could read
his email, a speaker phone or headset for those phone meetings, and
a good hill with plenty of snow for the toboggan. Most financial
institutions would probably agree on the need for first two.

State Street has recently announced that it is locating its
European disaster recovery site here in Edinburgh, presumably
because of the lack of snow.

6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
( Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email To
unsubscribe, email All comments,
feedback and other queries to Archives


Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.