News update 2004-04: April 2004
===================
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).
Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.
In this issue:
1. Corporate culture and dominance
2. Passwords
3. FSA update
4. Fraud
5. Newsletter information
===============
1. Corporate culture and dominance
Another month, another report on a large corporation drawing
attention to shortcomings in its corporate culture. Last month it
was NAB; this month it’s Shell. The details are different, of
course, which just goes to show how many different things it is
possible to get wrong. In Shell’s case, there was an over-dominant
chief executive as well as a poor culture of compliance. The report
was prepared by Davis Polk & Wardwell for Shell’s Group Audit
Committee. The executive summary and recommendations are now
publicly available from the Shell web site through
http://tinyurl.com/26t6q
It all makes interesting reading. If you treat it as referring to
the reserves of an insurance company it stays interesting, and much
of it remains relevant. There are some obvious changes: substitute
FSA for SEC for example, and don’t take too much notice of the
units involved (boe, or barrels of oil equivalent). But some useful
points emerge.
As far as regulations and guidelines are concerned, everybody
concerned needs to know what they should be complying with and how
they should do it. Also, documentation is vital.
“… not only were the Shell Guidelines non-compliant with the
SEC’s proved reserve definitions in key areas, but even
assuming they had been compliant, they lacked clarity
necessary to facilitate compliance…”
“Several control failures could be attributed to the short
tenure of certain individuals in key functions. … upon
rotation, complete and detailed handover notes should form the
basis for a formal transfer. ”
It’s important that there are clear lines of responsibility, and
that they go right up to the top.
“evidence of diminished responsibility for line reporting of
reserves figures, especially in joint ventures where the SEC
definition of proved reserves was not important to local
interests.”
No details are given of the methodology used to derive the reserve
estimates, but we can assume that some sort of model is used. It
must presumably estimate the amount of oil in the ground, future
economic conditions and costs of extraction. However, “Reserve
reporting and the booking of reserves are viewed as much an art as
a science.” So it may well be that the final figures are based on
model results rather than being directly from the models; we just
can’t tell. In any case, you can usually get pretty much any result
you want out of a model by adjusting the assumptions. This is the
classic GIGO (garbage in, garbage out) syndrome: you should only
believe the results of a model if you have confidence in the inputs
and in the calculations that are performed.
===============
2. Passwords
Would you tell someone your corporate password in exchange for a
bar of chocolate? 122 people out of the 172 recently surveyed at
Liverpool Street station did (that’s 71%). That’s 122 people who
really should have known better (apparently about half of them did
require some persuasion, but not much: the interviewer commented
that it was probably the name of their child or pet).
In fact, if you are going to tell your password to anyone, a market
researcher is probably pretty safe. We aren’t given the details,
but the risk certainly depends on whether the recipient of the
information knows your name and where you work. Also, we don’t know
how many of the people gave false passwords in order to get the
chocolate (we aren’t told what type of chocolate, or how big the
bar was, either).
But you really should keep your password to yourself. The survey
provides anecdotal evidence of how insecure many passwords are. The
best story is probably the following:
“One interviewee said, ‘I work in a financial call centre,
our password changes daily, but I do not have a problem
remembering it as it is written on the board so that every
one can see it.’ ‘What everyone?’ our stunned researcher
asked. ‘Yes, although I think they rub it off before the
cleaners arrive,’ replied the worker.”
It’s clear that many people find it difficult to keep track of all
the passwords they need. If you have passwords for several
different systems, and have to change them all monthly, the number
soon mounts up, without even considering all those pesky
web sites. Some people get round the problem by using the same
password for everything. Others write them down, even on sticky
notes attached to their screens. Many people choose passwords that
are easy to remember, even though they may also be easy to guess.
If you’re wondering how you should choose your passwords, here are
some tips:
– Longer is on the whole safer, but you have to trade off safety
against actually being able to remember it.
– Words that are in the dictionary are bad. People’s names are
bad. Including mixed case, numbers, and punctuation marks is
good.
– You could try interleaving two words. Basing a password on my
name would give lPoRuYiOsRe for example. I don’t find this type
of password very easy to get right when typing it in, and you
certainly shouldn’t base it on anything as obvious as your own
name.
– Try using the initial letters of a phrase. Basing your password
on a famous soliloquy would give tbontbtitq. You shouldn’t choose
anything that obvious, and it’s good to put some of the letters
in upper case and add in some numbers.
– Use a password generator. There are a number available on the
web, or as software for your machine. They usually let you choose
what characters should be included (eg a-z, A-Z, 0-9, punctuation
marks), the length of the password and whether it should be
pronounceable (and hence easier to remember).
– If you have to change your password regularly, use some kind of
system. But don’t make it as obvious as the one cited in the
survey: “I use my wife’s name and add the current month.” At
least put the month in the middle of the name, but even better
come up with something a bit more sophisticated. You shouldn’t
base any type of password on your wife’s name, for a start.
If you do have to write your passwords down, keep them in a safe
place (not in your desk drawer), and don’t make it obvious what
they are. An alternative is to keep them in a special application
on your PC or PDA, such as SplashId (www.splashdata.com, PalmOs
only) and eWallet (http://www.iliumsoft.com/site/ew/ewallet.htm,
PalmOs and PocketPC).
Remember, it’s to your advantage for other people not to know your
password. You don’t want their nefarious deeds blamed on you.
===============
3. FSA update
Earlier this month the FSA released a report entitled “Management
of credit risks within a trading environment – Review of market
practices 2003.” Don’t be put off this by its title. Even if credit
risks in a trading environment are not your cup of tea it contains
some useful advice. For example, a large number of front
office and back office systems in many cases lead to a complex and
opaque IT infrastructure. The risks are obvious, and are
exacerbated by mergers between firms.
The report also notes that some important risk management functions
may be delegated by a UK-regulated subsidiary to a global function
located in head office. It points out that local management remains
accountable to the FSA for the outsourced functions, and that in
some cases it was not easy to extract the relevant credit limits
and exposures from the global systems.
The report is available at
http://www.fsa.gov.uk/pubs/other/credit_risk.pdf
New consultation and discussion papers out this month:
—————————————————–
CP04/6 Changing the FSA’s Complaints Scheme
Feedback published this month:
—————————–
PS04/5 Financial Services Compensation Scheme management expenses
levy limit and other funding issues – Feedback from CP209
and made text
PS04/8 Regulatory reporting – a new integrated approach: Feedback
on CP198 and made text
PS04/9 Reporting requirements for mortgage, insurance and
investment firms, and audit requirements for insurance
intermediaries – Feedback on CP197 and made text
PS04/10 Amendments to the Training and Competence sourcebook:
Feedback on CP194
PS04/11 Implementation of the Distance Marketing Directive –
Feedback on CP196 and made text
PS04/12 Implementation of the Insurance Mediation Directive for
long-term insurance business – Feedback on CP201 and
‘near-final’ rules
Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html
===============
4. Fraud
KPMG have analysed 100 of the fraud cases that they have
investigated over the past two years. They conclude that fraud is
mostly committed by men, by senior managers, and in the finance
department. The study has some limitations: it ignores frauds that
have not been discovered, and the report doesn’t say how the 100
cases were chosen. Some of the results aren’t particularly
surprising. Most senior managers in the finance department are men,
and filing clerks just don’t have the same opportunities.
There are some interesting points that emerge. Only one in three
cases had a single perpetrator. Many frauds could have been
prevented by a stronger control environment. Very few of them were
detected by internal reviews; more were exposed by whistle-blowing.
In nearly 20% of cases no sanction was taken against the
fraudster. In nearly 70% of cases there was no publicity about the
fraud. It seems that many firms are more worried about their
reputations than about preventing further fraud. And we do have to
wonder how many frauds never come to light.
http://www.kpmg.co.uk/news/detail.cfm?pr=1941
===============
5. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.