News update 2004-03: March 2004
===================
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).
Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.
In this issue:
1. What happened next
2. Believing your results
3. FSA update
4. Fit for purpose
5. Newsletter information
===============
1. What happened next
Back in January we heard that rogue traders had caused a loss of
A$360m at National Bank of Australia (NAB). At the time, it wasn’t
clear exactly what had gone wrong (see my January newsletter at
http://www.louisepryor.com/showNews.do?issue=040128). Much more is
known now that PWC have issued a report on the whole episode.
One of the contributory factors was a weakness in NAB’s
controls. The bank closed out its book for the previous day at
about 8am, but the process of checking transactions did not begin
until 9am. The traders could reverse the false transactions during
this one-hour period.
However, a more serious failing was the culture of “arrogance” at
the bank. Bad news was kept from the board and senior management,
while warnings from competitors and the regulator about unusual
transactions had met with an “aggressive” response from NAB. The
manager of the four rogue traders knew they had breached their
limits but failed to take action. The PWC report says that
irregularities started in 2001.
The four traders concerned have been dismissed, as has their
immediate manager (who was said to be “asleep at the wheel”). Three
more senior managers have also left the bank, including the head of
risk. They weren’t directly involved, “but it happened on their
watch”.
As NAB’s new CEO said, someone in management should have noticed
when a business unit budgeted to earn a profit of $37 million a
year claimed to have made $42 million in a day. If something seems
too good to be true, it probably is.
http://www.theage.com.au/articles/2004/03/12/1078594562304.html
http://www.smh.com.au/articles/2004/03/12/1078594564982.html
===============
2. Believing your results
Complex actuarial models are increasingly prevalent in both life
and general insurance companies. However, it is not enough simply
to have these models and use their results: you must also have
confidence in the results, and be able to justify your
confidence. The FSA’s emphasis on systems and controls and the
effects of Sarbanes-Oxley are making themselves felt.
So, do you believe the results of your models? And if so, why?
Unless you are trusting in blind faith, you should be relying on
the following:
– The model specifications are explicit and have been approved by
the relevant people. If you don’t know what your model is meant
to be doing, you can’t tell if it’s right.
– The model implementation has been thoroughly reviewed and tested
against the specification. Testing is bound to uncover errors,
which with any luck can be fixed, so you must also have a system
of change tracking and version control, so you can tell which
version of the model you are using.
– Garbage in, garbage out is a truism but none the less valid for
that. You should take as much care over the data and assumptions
that feed in to the model as you should over the model itself.
Again, some sort of version control is often necessary.
– Finally, you need to be able to trace any results back to the
actual version of the model, data and assumptions that were used
to produce them. The process of actually running the model must
have a good audit trail.
You should bear these issues in mind whatever the size and
complexity of the model concerned, though obviously the
sophistication of the processes you use will vary with the
significance of the results. And by model, I mean anything from a
single sheet spreadsheet through to a major piece of software.
If you’d like more information on this topic please let me know.
===============
3. FSA update
A few more CPs this month, but those FSA folk have been speaking a
lot! See http://www.fsa.gov.uk/pubs/speeches/index-2004.html for
some of the texts. The publication of the Penrose report and
realistic reporting for life insurance have been in the news a lot
recently, and not surprisingly a number of the speeches refer to
these issues.
New consultation and discussion papers out this month:
—————————————————–
CP04/3 Reforming Polarisation: A menu for being open with consumers
– Including feedback on CP166
CP04/4 Mortgage firms and Insurance intermediaries: Funding of the
Ombudsman and Compensation schemes
CP04/5 Miscellaneous amendments to the Handbook (No. 13)
Feedback published this month:
—————————–
PS04/4 The FSA’s approach to implementing the Freedom of
Information Act 2000 – Feedback to DP23 and our final
publication scheme
PS04/6 Conflicts of interest in investment research – Feedback on
CP205 and made Handbook text
PS04/7 The CIS sourcebook – A new approach – Feedback on CP185 and
made text
Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html
===============
4. Fit for purpose
Sometimes you’d think that special purpose software would be more
suitable than off the shelf. And sometimes it seems that good old
fashioned non electronic technology would be just the
job. Apparently the hotel at One Aldwych in London has a fancy
computer controlled toilet system. The system failed recently, and
whenever any of the guests wanted to use any bathroom facilities
(toilet or shower) they had to be escorted to the corporate
headquarters in the building next door. The failure lasted for a
couple of days. The control system was based on Windows.
http://catless.ncl.ac.uk/Risks/23.20.html#subj2.1
And sometimes the problem isn’t the technology, it’s the
people. There has recently been another explosion in the volume of
spam sent out by computer worms. Many worms rely on the user
opening a mail attachment to make them work. Surprisingly, even
after all the publicity, it appears that many people still click on
attachments that they aren’t expecting from people that they don’t
know. The newest worms try to get round anti-virus software by
zipping the attachment up and password protecting it. The user then
has to unzip it using the password supplied in the accompanying
mail message. Apparently there are enough people around who will go
to all that trouble to do the worm’s work for it.
I have often heard software developers say something along the
lines of “Surely no user would ever … ” do something incredibly
stupid. Good software designers and developers have learnt never to
underestimate the potential carelessness or lack of knowledge of
users. It’s Murphy’s law writ large.
Just to hammer the point home, this applies to spreadsheets too; if
it is possible for a user to misunderstand the purpose of a
parameter or to run a macro under the wrong circumstances, it is
bound to happen sooner or later. And yes, it will probably be
sooner.
===============
5. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.