Newsletter Old site

Newsletter Sep 2004

News update 2004-09: September 2004

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor

Comments and feedback to Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to
Unsubscribe by sending an email to
Newsletter archived at

In this issue:
1. Actuaries and financial modelling
2. Financial web sites
3. FSA update
4. Portable risks
5. Newsletter information

1. Actuaries and financial modelling

What do actuaries do? A question that has often been asked, and
sometimes even been answered. We now have a new answer from
Australia, where it appears that there is growing actuarial
involvement in project finance. A paper was recently presented to
the Institute of Actuaries of Australia Financial Services Forum on
“Financial Modelling of Project Financing Transactions”. It’s well
worth a read if you are involved in any sort of financial
modelling, whether or not you are an actuary and whether or not you
are modelling project financing.

The paper includes an analysis of the risks of models and some
ideas for managing the risks, gives a clear introduction to Monte
Carlo simulation and why you might use it, and has a section on why
actuaries might be good people for modelling project financing.

It also includes some statistics on the error rates the authors
have found in spreadsheet models of project financing. The authors
say “Research has shown that error rates in project financing
models can be as high as 10%. Section 5 of this paper provides
some statistics on error rates collected by Mercer Finance & Risk
Consulting. Out of the thirty highest value projects reviewed
during the 2004 financial year, nine (that is, 30%) exceeded the
10% threshold; four exceeded the 15% threshold; and one exceeded
the 20% threshold.”

The wording may be misleading here. They are not saying that, for
example, 10% of the models have errors. In fact, all the models
(100%) that they reviewed contained errors. They are saying that in
four of the models they reviewed over 15% of the unique spreadsheet
formulae contained errors, and that one model had errors in over
one in five of the formulae. This model was one of the smaller
ones, too, so it’s no use saying “it’s only a small model, so it’ll
be OK”.

Although the spreadsheets they reviewed were all modelling project
financing, there is absolutely no reason to suppose that the high
error rates are peculiar to the project finance field. Financial
models of any sort are complex, and it’s hard (but not impossible)
to write a spreadsheet that doesn’t contain errors.

So let me say, once again, that it’s important to get the process
right when developing financial models (whether using a spreadsheet
or specialist modelling software). Be clear what it is that you
want the model to do: write a specification that is detailed enough
to test against. Use appropriate techniques when building the
model: something that looks like a really cool way of doing things
may be difficult for other people to understand. Document the
design decisions you make. Use a good change control process to
keep track of what’s going on. Test the implementation against your
specification. Record the tests, so that other people have some
reason to believe you when you say the system has been tested. And,
above all, don’t trust yourself. You are bound to make mistakes in
the coding, and if you don’t look for them you won’t find them.

2. Financial web sites

Phishing is big business. A recent survey says that US consumer
losses as a result of phishing scams have reached approximately
$500m (I always long to know how they come up with these
numbers). Apparently 70% of respondents had visited a spoofed
web site and 15% had disclosed sensitive information.

Obviously phishing is a risk to the consumer but it’s also a risk
to the financial institution that’s being spoofed. This is widely
recognised now, and many web sites warn their users of the
dangers. The trouble is that people don’t read the warnings (I only
read them myself from a professional point of view, because I’m
interested in risk management issues).

Another survey (it appears to be survey season at the moment)
claims that 90% of commercial web sites have security flaws that
make them vulnerable to online hackers and phishing attacks. So
maybe the dangers aren’t recognised quite as widely as they should
be. However, this figure is based on the web sites that a security
consultant was asked to audit, so there may well be an element of
self-selection here.

All in all, the user experience of financial web sites is sometimes
distinctly sub optimal. An Australian bank found that customers who
had installed Windows XP Service Pack 2, the update from Microsoft,
wouldn’t be able to use their online services.

Often, you can only use the online services if you use
InternetExplorer on a Windows machine. Admittedly the proportion of
people who use different browsers or different operating systems is
small, but the absolute numbers are quite large, and there’s a lot
of ill will involved. This is especially the case when the users
are using another browser because they have impaired sight or
another disability.

Sometimes sites are unusable for other reasons: recently an online
payment site was down because of a denial of service attack.

So the risks involved in running a web site providing online
services can be significant. On the other hand, the risks of not
doing so can’t be ignored either. What is a poor bank to do?

3. FSA update

For the first time since I started this newsletter in December
2002, we have gone for a full month without either consultation
papers or feedback being published. The supply of final notices
shows no sign of abating, though. And those FSA folk keep on making
speeches. The range of newsletters is growing: this month we had
the third General Insurance Newsletter
and the first
Life Insurance Newsletter

There has been fairly full press coverage of the FSA’s views on
what’s happening in closed funds, but I haven’t seen many comments
on a speech John Tiner made recently, entitled “Ambiguity of
Contracts: Lessons learned from Equitable Life”
. Interestingly
enough, this speech was actually made in Denmark. Go figure.

From a risk management perspective, one of the most important
lessons to learn is that the world doesn’t stay the same. Changes
in social attitudes, which tend to have a fairly long time scale,
affect both legal interpretations and the regulatory
environment. Moreover, courses of action that are reasonable in
some circumstances become perceived as unreasonable in others. All
these changes take place gradually and continuously. It’s difficult
to pinpoint the exact moment at which attitudes and circumstances
make a course of action untenable.

This kind of risk is extremely difficult to manage. It’s hard to
step back and see the long term trends. It’s often hard even with a
moderate degree of hindsight. As so often in risk management, a
creative imagination is a huge advantage.

New consultation and discussion papers out this month:


Feedback published this month:


Current consultations, with dates by which responses should be
received by the FSA, are listed at

4. Portable risks

What do you do if you are a consultant from an identity management
firm and your laptop is stolen while you are at a security show? Go
very red indeed?

We aren’t told whether there was sensitive data on the laptop, and
if so whether it was encrypted or protected in any way.

Yet another survey by yet another security firm has discovered that
PDAs are a big security risk. It comes as no surprise to me that
many people store the names and addresses of corporate customers on
their PDAs with no encryption. “As well as using their PDAs to
store company information, many users store valuable personal
information such as PIN numbers, bank account details, social
security numbers and even lists of passwords, many of which can be
accessed – ironically – without a password.”

This isn’t news. We’ve seen similar surveys in the past, and anyway
it’s obvious that this is what’s happening.

Every so often we see a scare story about such and such an
establishment banning iPods, or Palms, or something else from their
premises on the grounds that they are a security risk, because you
can download data to them. Of course you can. And yes, in that
sense they probably are a (small) security risk. However, if I
wanted to download data I personally would choose a USB flash
drive. Much smaller, no special cables or docks required, and you
can get them with pretty large capacities nowadays (1 gig for 100
pounds plus VAT at Crucial ).

In the good (or bad) old days, corporate PCs would have their
floppy drives disabled, no CD drives, and all other unnecessary
ports blocked. Nowadays, when the keyboard and mouse use USB
instead of PS2, you can’t block all USB ports. A flash drive
doesn’t need any special software to be installed, either.

5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
( Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email To unsubscribe, email All comments, feedback and other
queries to Archives at