Newsletter Old site

Newsletter Oct 2003

News update 2003-10: October 2003

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor

Comments and feedback to Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to
Unsubscribe by sending an email to
Newsletter archived at

In this issue:
1. XLSior
2. Reputations
3. FSA update
4. Storm damage
5. Newsletter information

There’s a seminar on the risks of ignoring operational risk on
Thursday 27th November. Speakers are from RSA, HBOS, the BBA and
Unilever, and it’s chaired by John Sinclair, an actuary with many
years executive experience as former Group Executive Director, GRE.
As the blurb says: Operational Risk affects us all, not just
bankers. It’s vital to the management of risk and capital in the
businesses of Asset Managers, Life and General Insurers, Pensions Fund
management and Financial Services. For those thinking beyond the
minimum regulatory requirements, this morning’s seminar will provide
insight into current best practice and opportunities for implementing
improvements. Details are at

1. XLSior

I’ve just released XLSior, an Excel add-in that helps you develop
and test your spreadsheets, with automated testing, automated
documentation, easier manual documentation, sheet handling tools,
version control and auditable imports from other workbooks.
Essentially, it’s a tool that makes it much easier to do things the
right way, and should help cut the error rates in spreadsheets
at the same time as improving productivity.

One of the beta testers said “It’s a great system. It makes Excel
into a proper development tool; the automatic testing on save
feature is brilliant.”

Although there are a number of add-ins for spreadsheet auditing, to
my knowledge XLSior is the first to address the spreadsheet
development process. It’s described at Let
me know (by replying to this email) if you’d like a demonstration.

2. Reputations

There are often arguments in operational risk circles about whether
reputational risk is part of operational risk or not. Here are
three recent stories.

SunnComm developed a copy protection mechanism for CDs. A graduate
student at Princeton discovered that it could be bypassed by
keeping the shift key depressed when loading the CD. SunnComm
threatened to sue him under the Digital Millennium Copyright Act
(DMCA), and claimed he had damaged the company’s reputation by
publishing his results (the market value had dropped by more than
£10 million). There was a lot of publicity about this, and SunnComm
soon withdrew their threat. Undoubtedly SunnComm made a bad
situation worse through their handling of it. See for more details.

Barclays chief executive Matthew Barrett made the headlines when he
told a commons select committee that advised his children not to
borrow on credit cards because it was too expensive. The press
compared his admission to the famous episode in which Gerald Ratner
described the goods sold in his High Street shops as “crap”, and
his company’s value fell by £500 million. However, so far the
fallout for Barclays seems to have been minimal, possibly because
Barrett was only agreeing with what the financial press has been
saying for years. Also, Barclays is by no means the worst offender
when it comes to interest rates on credit cards. More details at,1456,1064581,00.html

My household has received several emails from banks recently,
claiming that they want to verify our email address. We are asked
to visit a web page and entering our user-name and password. We have
not rushed to do this for a number of reasons, one of which is that
we don’t have accounts with the banks in question. However, our
main reason is that the emails don’t actually come from the banks;
they are known as phishing emails and are used to dupe users out of
confidential information that can then be used to commit fraud.

The risks to consumers are obvious: what about the risks to the
banks? Well, phishing almost certainly affects consumers’
confidence in internet banking; if they don’t understand what is
happening, they will have a fairly low opinion of a bank that
thinks they are a customer when they are not; and they may even
lose business. Halifax has recently closed its online banking
facility as a direct result of the phishing emails. Other banks and
building societies who have been targeted include NatWest,
Barclays, Lloyds TSB and Nationwide. See

We can summarise the risk implications of the three stories as
follows. SunnComm suffered an operational loss due to bad handling
of reputational issues. Barclays was subject to the risk, but no
loss was suffered. Banks are subject to an operational risk (due to
external causes) which may or may not be connected with their

3. FSA update

The steady stream of consultation papers continues, although we
have been assured by John Tiner that there will be fewer in the

To me, one of the most interesting documents published recently is
not a consultation paper at all. “Review of UK insurers’ risk
management practices” is available at It is based
on a survey of 39 firms, broadly representative of the whole
industry but excluding bancassurers and the Lloyd’s market. The
state of risk management in the insurance industry is evidently a
bit of a curate’s egg: not all bad. Progress is being made, but
there are definite areas of concern, especially that risk
management systems are regarded as a compliance requirement, rather
than core business processes.

Many of the points made are consistent with those in “Building a
framework for operational risk management: the FSA’s observations”
which was published in July and is available at They are also
backed up by the admittedly less thorough survey that was conducted
by this year’s GIRO working party on operational risk, whose report
is now available at

New consultation and discussion papers out this month:

CP200 Regulation of long-term care insurance
CP201 Implementation of the Insurance Mediation Directive for
long-term insurance business
CP202 Insurance regulatory reporting: changes to the publicly
available annual return for insurers
CP203 Review of the listing regime
CP204 Financial groups

DP23 The FSA’s approach to implementing the Freedom of Information
Act 2000

Feedback published this month:

CP173 Amendments to the Interim Prudential sourcebook for
Investment Businesses chapter 5 rules on consolidated
CP177 Lloyd’s policyholders: Review of compensation arrangements
CP180 Fees for mortgage firms and insurance intermediaries
CP181 The Interim Prudential Sourcebooks for Insurers and Friendly
Societies: Implementation of the Solvency I Directives
(2002/12/EC and 2002/13/EC)
CP182 Proposed changes to the Listing Rules to take account of the
introduction of treasury shares

Current consultations, with dates by which responses should be
received by the FSA, are listed at

4. Storm damage

Operational risk includes the risk of loss due to external
events. So hold on to your hats as 10 billion tonnes of super-hot
gas speeds in our direction. In the past episodes like this have
disrupted television broadcasts, automated cash machines and
airline tracking systems. They are known to affect mobile phones
and even wireless computer networks. This time, electric utilities,
airline communications and satellite navigation systems have all
been affected to a greater or lesser extent; for example, power
grid operators have seen the effects in their data, but so far have
not had problems.

It’s a truism to say that as we become more and more reliant on new
technologies, hitherto harmless events become more significant.

5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
( Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email To unsubscribe, email All comments, feedback and other
queries to Archives at

If you’re in or near Edinburgh you shouldn’t miss the forthcoming
performance of Mahler’s 8th Symphony, the “Symphony of a Thousand”, at
the Usher Hall on Sunday 30th November. It should be quite an
experience: Edinburgh Bach Choir, Edinburgh Royal Choral Union,
Jubilo, Edinburgh Youth Choir, and Sinfonia are joining forces for the
occasion. There won’t be 1000 of us, but there’ll be quite a few!

Tickets from the Usher Hall, 0131 228 1155