News update 2004-10: October 2004
===================
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).
Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.
In this issue:
1. Spitzer risk
2. Getting rid of risk
3. FSA update
4. You don’t have to be a rocket scientist
5. Newsletter information
===============
1. Spitzer risk
There is a new component of operational risk: Spitzer risk, the
risk that Eliot Spitzer will launch an investigation into your
industry, attacking widely accepted ways of doing business.
A simplified summary of the current investigation: Some insurance
brokers accept contingent commissions from the insurers with whom
they place business. These are based on the volume of business they
place with that insurers. The brokers therefore have an incentive
to place business with insurers who offer these commissions, even
if they are not offering the best rates. Their interests are thus
not fully aligned with those of their clients. Moreover, it is
claimed that at least one broker asked insurers to submit dummy
quotes, so that the quote that would give them the incentive
commission would appear to be the cheapest.
The effects of Spitzer’s investigation are being felt much more
widely than the particular brokers against whom a suit has been
filed. A number of firms have said that they will stop accepting
contingent commissions. Share prices in brokers have fallen. Credit
ratings have been cut. Share prices in some insurers have fallen,
at least partly due to the fear that they will have to bear
extensive legal costs. The scope of the investigation is
broadening.
These effects aren’t limited to the USA; insurance broking is a
global business and there are fears that abuse may be present in
the UK market as well. The FSA don’t regulate insurance brokers
until 1st of January; there is no indication as to whether they
will launch an investigation in this country.
Potential losses to individual firms from Spitzer risk include
legal costs, potential fines, loss of revenue (no more juicy
contingent commissions in this case), losses due to lower credit
ratings and opportunity costs of spending management time on coping
with the fall-out or on developing new business models. There may
also be more general reputational damage. Many of these costs are
incurred by firms that are not directly involved as well as those
that are.
How should firms manage Spitzer risk? It’s tricky. Once it
happens, ie once Spitzer (or someone else) has launched an
investigation into some aspect of your industry, or one closely
connected with it, you should add it to your risk register and try
to handle the fall-out as best you can. Hence those brokers who
have said that they will stop accepting contingent
commissions. Even in this case you have to be aware of the
potentially widespread effects.
But how do you identify a Spitzer risk before it happens? There you
are, doing business in the normal way, just like everyone else in
your industry: how can you tell if some part of normal business
practice is likely to be considered worthy of investigation by a
regulator? And not necessarily your own regulator, either? You
really have to think outside the box. Is there any aspect of your
business that you wouldn’t like to have to explain and justify to a
hostile journalist? (Or other interrogator). Or any aspect that can
be described as “just the way things are done”, but isn’t how you’d
do it if you were starting from scratch?
But it’s very difficult to step back and see things as an
outsider. And how can you tell which aspects somebody else might
pick up on? It’s all part of coping with a changing context. What
was accepted 50 or even 20 years ago may not be acceptable now,
with the increased emphasis on openness and transparency.
===============
2. Getting rid of risk
Outsourcing, both explicit and implicit, will always be a source of
risk. Sometimes you just don’t have a choice of whether to
outsource or not, but the risk is still there.
For example, it’s not really practical to compile your own real
time market data. You have to use one of the major suppliers, such
as Reuters. But that means you depend on them, and if something
goes wrong you suffer. A couple of weeks ago a circuit breaker
failed at the Reuters Global Technical Centre in London (GTC-L). It
caused disruption to about 25% of the systems supported from the
building riser that was affected. An hour or so after the
first incident a second riser failed due to overloading, which
meant that two out of the four risers supporting GTC-L lost
power. The data feed was eventually down for about 10 hours. There
was nothing that Reuters’ customers could do about it.
http://www.finextra.com/fullstory.asp?id=12678
http://www.computerweekly.com/Article134316.htm
There has been a steady stream of scare stories about the risks of
outsourcing call centres offshore: operators offering unauthorised
credit to customers, and criminal gangs organising operators to
commit fraud against customers. Apparently some call centres are
not fully complying with the Data Protection Act, either.
However, the outsourcer is the party that is subject to the Data
Protection Act, as the Data Controller, so it’s the outsourcer’s
duty to ensure compliance. If there are problems, they will come
home to roost with the outsourcer, either as specific losses or as
reputational damage, and quite possibly both. You just can’t get
rid of the risk.
http://tinyurl.com/3p2ln
Here’s another risk that you can’t evade. Apparently many managers
are worrying about the increasing use of instant messaging
(IM). People use it to avoid the content filtering and monitoring
that is applied to email, believing that it is exempt from
compliance regulations such as Sarbanes-Oxley and Basel II. Of
course it’s not: it’s a communication just as much as emails and
telephone conversations are.
Many companies have banned it, as a security and compliance risk,
but the ban is extremely difficult to enforce. (From the technical
point of view it’s hard to distinguish IM traffic from other,
authorised, web traffic).
So whatever you do, you are still left with the risk. You ban IM,
people use it, you run into compliance problems… it’s no use
saying “not my fault guv.”
http://news.zdnet.co.uk/internet/security/0,39020375,39170374,00.htm
===============
3. FSA update
Back in December 2003 the FSA issued a Discussion Paper on fraud –
DP26: Developing our policy on fraud and dishonesty. It is
available at http://www.fsa.gov.uk/pubs/discussion/26/index.html.
In a recent speech Philip Robinson outlined the conclusions that
have been reached, and described the FSA’s new approach, called
Fighting Fraud in Partnership. The speech is available at
http://www.fsa.gov.uk/pubs/speeches/sp208.html.
From a risk management point of view, fraud is a significant
component of operational risk. Apart from the rare, high profile,
high loss cases such as BCCI and Barings, there is a great deal of
high frequency, low impact fraud. The ABI estimates that fraud
losses account for 3.7% of all insurance premiums, for example.
Robinson said that firms are not taking fraud as seriously as they
might. “But even when fraud mitigation is good business, it doesn’t
always follow that a firm will do it well. A project that we did
recently on insurance claimant fraud threw this into sharp relief
for me. In thirty small and medium-sized firms who responded to our
survey, every £1 they spent on fraud prevention yielded £3.80 in
savings; and yet fraud budgets were tight, with 71% of the firms
having no earmarked fraud budget at all.”
New consultation and discussion papers out this month:
—————————————————–
CP04/15 Quarterly consultation (No. 2)
CP04/16 The Listing Review and implementation of the Prospectus
Directive – Draft rules and feedback on CP203
Feedback published this month:
—————————–
CP203 See CP04/16 above
PS04/21 Regulatory fees relating to mortgage and insurance
mediation regulation – Feedback on CP04/4 and CP04/9 and
made text
Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html
===============
4. You don’t have to be a rocket scientist
Maybe you remember all the excitement back in September about the
Genesis space probe, which was going to be grabbed by stunt pilots
as it parachuted to earth. Unfortunately the parachutes didn’t
open. We now know that the switches that were to trigger the
parachute were installed upside down. It appears that the design
drawings were faulty.
http://www.newscientist.com/news/news.jsp?id=ns99996541
This is a superb example that everything has to be right for things
to work: in this case, the implementation was OK but the
specification was wrong. This principle applies to financial models
as well as spacecraft. I gave a talk at the GIRO conference (annual
convention of general insurance actuaries in the UK) a couple of
weeks ago about how to believe your models. The slides are
available from http://www.louisepryor.com/show.do?page=articles.
You may not have to be a rocket scientist to operate a fax machine,
but it seems that being a lawyer isn’t always good enough. A lawyer
put a 100 page document in the fax machine the wrong way up,
and so faxed 100 blank pages through to the destination. The
document wasn’t received by a deadline, and an appeal succeeded
against fines worth 100m euros.
http://news.zdnet.co.uk/business/legal/0,39020651,39170375,00.htm
A new version of the World Bank Technology Risk Checklist is
out. From the introduction: “The World Bank Technology Risk
Checklist is designed to provide Chief Information Security
Officers (CISO), Chief Technology Officers (CTO), Chief Financial
Officers (CFO), Directors, Risk Managers and Systems Administrators
with a way of measuring and validating the level of security within
a particular organization.”
It’s available from
http://www.infragard.net/library/pdfs/technologyrisklist.pdf
Strangely, I haven’t been able to track it down at the World Bank
site. Maybe it’s a fake. But it looks as if it may be useful,
anyway.
===============
5. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.