News update 2003-07: July 2003
===================
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).
Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.
Stop press
==========
Just as I was about to send this out, the FSA released “Building a
framework for operational risk management: the FSA’s observations –
Feedback on industry practice as we prepare to implement CP142”
available at http://www.fsa.gov.uk/pubs/policy/ps142_2/. The document
gives the results of a thematic review performed by the FSA. It
discusses issues firms consider as they establish operational risk
frameworks, and presents the FSA’s conclusions. It’s clearly essential
reading for everyone involved in operational risk.
In this issue:
1. Ganging a-gley
2. PDAs are dangerous
3. Counting the zeros
4. FSA update
5. Content filtering
6. Newsletter information
===============
1. Ganging a-gley
“the best laid schemes o’ mice an’ men, Gang aft a-gley” as Robert
Burns said in 1786. 217 years later, we can only agree. Recent
visitors to the web site of the Actuarial Profession at
www.actuaries.org.uk may have noticed messages from the Chief
Executive on the front page, one explaining that there were
problems with the web site and email, and then a few weeks later
one saying that everything was now working correctly. The problems
arose from major changes to the IT infrastructure.
Apparently it had become necessary to change operating systems. The
changes turned out to be both major and complex: there were all
sorts of interdependencies which meant that many things had to be
changed simultaneously. In the middle of all this, an unconnected
piece of hardware (which was due for replacement shortly anyway)
decided to give up the ghost. As part of the fallout email was
unreliable for some time, and didn’t function at all for a
period. Several communications to the members of the profession
were made by snail mail instead.
This type of problem is not unusual. It was possibly more visible
than it would have been in some organisations because the Actuarial
Profession has made good use of new technologies and relies on the
web and email for most of its communications with the membership.
It does remind us, though, that change of any sort is one of the
biggest causes of operational risk. It is often difficult to
predict the precise effects of any change; in addition, it is
extremely difficult to make full contingency plans for complex
changes. Unfortunately change eventually becomes necessary.
We all know that it is best to make several small changes instead
of one large one; to pilot the changes first; and to do the whole
thing in such a way that you can back out of the changes at any
stages. Unfortunately these things are often easier said than
done. Also, change tends to become more risky over time. Small
changes are made over an extended period, as performance is
tweaked, new functionality added, and so on. These small changes
tend to make use of what is there already, thus introducing further
interdependencies. As time goes on, and it is recognised that
interdependency creep has taken hold, so the risks of major changes
are recognised and they are less likely to occur. It’s all a
vicious circle.
By the way, most of the points I’m making here are not specific to
IT systems, but apply to any systems or processes in the
organisation.
And finally, you can’t rely on just one thing going wrong at once
(see also the April issue of this newsletter, at
http://www.louisepryor.com/showNews.do?issue=030422). This is
especially true in IT, but applies elsewhere too. Remember that
Murphy was with Burns on this one.
===============
2. PDAs are dangerous
Last month I discussed two surveys that showed how dangerous life
is, bemoaning the lack of business continuity arrangements and
effective backups. The not entirely disinterested survey this month
was conducted on behalf of PointSec, a company that specialises in
protecting mobile devices.
According to the survey, a third of employees who have PDAs are
leaving sensitive information unprotected on them. (As usual, I
have only been able to find press reports of the survey, all
written from the same press release, so I don’t know what the real
results are). Many people store use them to store business names
and addresses, bank account details, personal information,
passwords and PINs, and corporate information. Not only could a
thief or finder steal the owner’s identity, they could also pose a
real threat to the owner’s employer.
The press release is at
http://www.infosec.co.uk/page.cfm/Action=Press/PressID=4/t=m
Useful utilities for protecting confidential information on your
PDA are SplashId (www.splashdata.com, PalmOs only) and eWallet
(http://www.iliumsoft.com/site/ew/ewallet.htm, PalmOs and
PocketPC).
===============
3. Counting the zeros
There were “wild market swings” on 3rd July when someone entered an
order to sell 10,000 contracts in Chicago Board of Trade e-mini Dow
Jones Industrial Average futures. Apparently people feared that
something dreadful such as a terrorist attack had happened, but in
fact it was simply an erroneous entry in the trading system. The
trader had intended to sell 100 contracts.
These “wrong big figure” quotes are reasonably frequent. There are
many contracts and trading agreements out there that mention them
specifically (do a search on the phrase to see examples). The
trouble is that it’s difficult to stop them happening. Make the
user confirm all their entries, and they get used to hitting enter
twice instead of once, so the error just goes straight
through. Don’t make them confirm, and the error just goes straight
through. The best answer is probably to be a bit intelligent about
it: ask for confirmation in special cases, when the volume, or
price, or other measure, is significantly different from the norm
for that trader, or that contract or stock, or for the market as a
whole. It’s more difficult to implement, but more likely to stop
the problem.
Apparently at the time this happened a contract was worth roughly
$45,000, so the sell order was worth about $450m instead of
$4.5m. Seems like quite a difference to me.
There’s a description of the incident at
http://news.morningstar.com/news/DJ/M07/D03/1057291261351.html
===============
4. FSA update
John Tiner is to be the new Chief Executive at the FSA. He was not
by any means considered an outsider for the post, and on the whole
his appointment was welcomed. There is likely to be some internal
reorganisation after he takes over in September, but no radical
overhaul of the way that the FSA approaches its duties.
CP190, the long awaited consultation paper on capital requirements
for non-life insurers, has been released at last. It’s long, so few
people will yet have had time to digest it fully. I was
particularly interested in the discussion of the ICG (Individual
Capital Guidance). Basically, firms will be expected to calculate
their ECR (Enhanced Capital Requirement), learn a whole new set of
TLAs (Three Letter Acronyms), and assess their capital requirements
in the light of both their calculated ECR and how their individual
risk profile differs from that used in the ECR calculations. The
ICG will be guidance from the FSA on this, and will be consistent
with the Arrow risk assessments. It looks as if there will be a
real incentive to have a robust and workable risk management
framework.
This is all consistent with the FSA’s stated aim of getting better
risk awareness and management amongst senior managers. The FSA also
say that the current rate of failure through insolvency is too
high, and that higher levels of capital should help to cut the
rate. The implication is that better risk management practices
should also reduce insolvencies, a theory that is borne out by the
paper on insurance company failures issued late last year (see
http://www.louisepryor.com/showNews.do?issue=030120 and
http://www.fsa.gov.uk/pubs/occpapers/op20.pdf).
The FSA has recently conducted a review of liability insurers,
during the course of which they identified a number of good
practice indicators. Showing every sign of extreme consistency, a
number of these are to do with the insurer encouraging good risk
management practices in their policy holders.
New consultation and discussion papers out this month:
—————————————————–
CP187 Insurance selling and administration & other miscellaneous
amendments
CP188 Clarification and revision of financial promotion Rules and
Guidance
CP189 Report and first consultation on the implementation of the
new Basel and EU Capital Adequacy Standards
CP190 Enhanced capital requirements and individual capital
assessments for non-life insurers
Feedback published this month:
—————————–
CP136 Individual capital adequacy standards
CP143 Integrated Prudential sourcebook – Feedback on chapters of
CP97 applicable to insurance firms and supplementary
consultation
CP153 Alternative trading systems
CP157 Examination Framework for Retail Financial Services
CP160 Insurance selling and administration – the FSA’s
high-level approach to regulation
CP165 Miscellaneous amendments to the Handbook (No.6)
CP167 With-profits governance and the role of actuaries in life
insurers
CP175 Miscellaneous amendments to the Handbook (No. 7)
DP19 Options for regulating the sale of “simplified investment
products”
Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html
===============
5. Content filtering
Last month I discussed the dangers of some viruses and fake viruses
that are currently doing the rounds. Some readers failed to receive
the benefit of my wisdom because their firewalls refused to let the
email through, thinking it might be dangerous. This happened
because they use “content filtering”: blocking emails that contain
certain content, usually words that are generally associated with
spam or snippets of text that are contained in undesirable
emails. The last issue contained the word j d b g m g r, and this
was enough to trigger blocking at a number of sites.
It’s difficult to know exactly, but there were at least 6 domains
that blocked the email completely, and another 2 or 3 that delayed
delivery (presumably it had to be checked out by hand). This is out
of a total of about 90 domains that the newsletter is delivered
to. There may have been more delivery failures that I never found
out about. The issue is available in full on the web site at
http://www.louisepryor.com/showNews.do?issue=030626 if you missed
it.
In this case there was no real harm done by content filtering, but
in general it is not a good idea, as its hit rate on innocent email
can be too high. Given any word or phrase that might be filtered on
(pick any body part that only 50% of people have, for example) and
it is possible to come up with an example of a totally legitimate
email containing that word. Admittedly content filtering is more
reliable in a corporate context than it is for general service
providers such as ISPs, but there are still many exceptions. My
last newsletter was, I like to think, one of them.
I had some interesting correspondence with the support staff at
some of the affected domains: some were extremely helpful and
friendly, but had no easy way of overriding the block, others were
more complacent. For example, one said “We screen for viruses and
hoaxes and are authorative for our internal users – any other virus
related communications are potential social engineering attacks,
and are filtered at the internet mail gateways.” In other words, in
this organisation the internal users are kept in ignorance of the
exact nature of the threats. I believe this is a high risk
policy. It will work so long as their filtering at internet mail
gateways is totally effective, and is always updated before a
potential threat arrives. It will not work if there is any way of
getting round the protection; for example, taking a laptop home and
using it to read email from a personal mail account. To my mind,
informed users are more likely to be safe users.
===============
6. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email news-subscribe@louisepryor.com. To
unsubscribe, email news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.