Categories
Newsletter Old site

Newsletter Jun 2004

News update 2004-06: June 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Bank computer system fails (again)
2. Costs of compliance
3. FSA update
4. Bits and pieces
5. Newsletter information

===============
1. Bank computer system fails (again)

We hear about major computer failures in banks once or twice a
year. The latest one was in Canada, where the victim (or culprit)
was the Royal Bank of Canada. As the Globe and Mail put it “the
accounts of 10 million customers were rendered inaccessible in a
nanosecond by a monster computer glitch.”

The bank’s technology chief explained the whole thing. “It was a
program change. The guy made some mistakes. I mean, he made some
mistakes with respect to how he went through the testing process
with respect to it. It appears, as we’re going through this, that
it didn’t get tested as fully as it should have been and, as a
result, it created the problem. So, essentially, what you have is a
piece of code that ends up having a character in a field that it
shouldn’t be in. That change ends up setting off a sequence of
events.”

As I understand it, a change was made to one of the programs
comprising the system. There was a bug in the change, which was not
caught by testing. The bug showed up during the nightly batch
runs. After fixes, they then tried to run two days worth of
transactions in the same batch run. This didn’t work because the
system couldn’t cope with two different dates in the same run. It
took days to catch up; and meanwhile customers were getting more
and more upset.

I’ve said it before, and I’ll say it again, you can’t rely on only
one thing going wrong at a time. The problem with running a batch
job containing two dates was lying in wait: only when something
else had already gone wrong would it leap into action. As a
correspondent recently said in another context, relying on Murphy’s
Inverse Law (that everything that can go right WILL go right) is a
common error of judgement.

As is often the case, an operational loss was compounded by
reputational issues. It apparently took several days for the bank
to admit that there was a problem, and members of senior management
set off on pre-arranged holidays and business trips even after the
scale of the crisis had become apparent. Now it may well be that
there was nothing useful they could have done, but it just doesn’t
look good. This point is also becoming a regular theme in these
newsletters.

Finally, and this really wasn’t the bank’s fault, there was a major
phishing scam targeting their customers just as the whole
imbroglio was finally sorted out. Did I mention that it’s never
only one thing that goes wrong at a time?

Globe and Mail coverage is at the following URLs:
http://tinyurl.com/227ln
http://tinyurl.com/2bbzd
http://tinyurl.com/39qls

There’s an interesting write up at
http://www.bankingrisk.com/analysis/archives/2004/06/18/testing_times

===============
2. Costs of compliance

I work mainly in the insurance industry, and am aware of just how
much effort is going into complying with the new regulatory regime.
Many firms are making major investments in new models or bringing
old ones up to scratch. Others (or the same ones) are looking at
how they use their models, and whether they can really trust the
results. Are the systems and controls for maintaining and updating
the model adequate? What about data and assumptions? What do they
do about specification and testing?

There is a view that it’s about time too, and that the benefits to
management of having more accurate and reliable models will
outweigh the costs (and remember, there are opportunity costs as
well as the money that has to be spent). Others think that it’s all
pointless box ticking. The truth, as usual, probably lies somewhere
between the two (closer to the first, I believe), but those who
think it’s pointless will probably see fewer of the potential
benefits.

Not surprisingly insurance firms aren’t the only ones affected.
Apparently 40% of Barclays’ IT investment spend goes on regulatory
compliance programmes for Basel II and Sarbanes-Oxley. A recent
survey indicated that two-thirds of banks with assets over US$100
billion project costs of more than 50 million euros for Basel
II. The same survey claims that most banks see significant benefits
from Basel II and that they are planning to adopt the advanced
regulatory approaches for both credit and operational risk.

Sarbanes-Oxley is spreading its net widely, as it applies to many
non-US companies by virtue of relationships they have to US
corporations. Its main effect is in the area of systems and
controls and directorial responsibility, so adding to the weight of
pressure in that direction. At least one head has already rolled,
or is about to roll, as a result of Sarbanes-Oxley. A large US
corporation’s internal auditors were unhappy with the controls in
the IT department, which they viewed as not meeting the
requirements of Section 404, which is starting to take effect this
year. The CIO is now paying the price.

The whole question of systems and controls is a hot issue, both in
IT departments and elsewhere. After all, IT systems are developed
in many parts of the organisation, not only in IT departments.
Which brings us back to the beginning; what are actuarial models,
if not IT systems? And just think of all those spreadsheets…

The IT Governance Institute (ITGI, http://www.itgi.org/) has a
useful document entitled “IT Control Objectives for
Sarbanes-Oxley”. Although primarily intended for IT specialists,
others may well find it useful.

http://www.louisepryor.com/papers/confident.pdf
http://www.computerweekly.com/articles/article.asp?liArticleID=131260
http://revveday.notlong.com
http://www.it-director.com/article.php?articleid=11982

===============
3. FSA update

The FSA and HM Treasury have issued a joint consultation document
on the UK Implementation of the EU Market Abuse Directive
(Directive 2003/6/EC). This is available at
http://www.fsa.gov.uk/pubs/other/eu_mad.pdf.

The supply of consultation papers and feedback is definitely drying
up; this is only to be expected as the FSA is no longer a new kid
on the block. One would definitely hope that the major regulatory
changes had been mapped out by now. It is interesting to note that
the two largest categories of publication this month are Final
notices and Other FSA publications. Again, it’s not unexpected to
see more disciplinary activity as the system matures. And who gets
a filing system absolutely right at the beginning?

New consultation and discussion papers out this month:
—————————————————–

CP04/10 Child Trust Funds
CP04/11 A basic advice regime for the sale of stakeholder products

Feedback published this month:
—————————–

None

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Bits and pieces

You may have noticed that I’ve used two different URL shortening
services in this newsletter: notlong and tinyurl. I really have no
particular view on which is better, but one of them was unavailable
while I was writing one of the articles, so I used the other. I
only hope they are both working when people try to click through on
the links.

Why use them at all, I hear you ask. Well, when a URL is too long
to fit on one line there are two possibilities. Either your mail
reader wraps it round, which looks messy, or it automatically
inserts a line break, which means that it won’t work as a link. And
some URLs are very long indeed. They have long, long code numbers
embedded in them, which often carry useful information (such as the
date of the article they refer to), on top of deep directory
trees. I always include the URL as plain text because this is a
plain text newsletter.

This is a plain text newsletter for a number of reasons. Everybody
can read plain text. There are still some people out there who do
not have html mail readers, for one reason or another. Because most
spam uses html, some people simply block all html mail. Many more
people read their email as plain text, even if it is sent as html
(I do this myself). Again, this is an anti-spam measure; spammers
often include spy-ware in the html mark-up of their mail, so that
they can tell who has read it and keep them on the list. Finally,
I’m just a plain text sort of person, concentrating on content
rather than form.

Talking of spam, we all know how much of a problem it is, but do
you know what problems anti-spam and other security measures can
create? Some ISPs do hidden spam blocking; they just dump messages
that they think are spam, without telling you about it. So you
don’t even know about the false positives. There have been a couple
of occasions recently when a client tried to send me a spreadsheet
for review, but the firewall at his end blocked the email without
telling either him or me. It’s this silent operation which is
dangerous.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.