Newsletter Old site

Newsletter Feb 2005

News update 2005-02: February 2005

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor

Comments and feedback to Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to
Unsubscribe by sending an email to
Newsletter archived at

In this issue:
1. Where the money is
2. Is it risky?
3. FSA update
4. Is testing worth it?
5. Newsletter information

1. Where the money is

Apparently Willie Sutton, the bank robber, said when he was asked
why he robbed banks, “because that’s where the money is”. It’s a
statement of the blooming obvious, and holds true even today, when
the mechanics of robbing banks have moved on from the tried and
tested methods used 50 or a hundred years ago (although the old
methods are still used: the Northern Bank robbery in Belfast in
December involved huge amounts of cash–see

Nowadays, you don’t actually have to physically break in to a bank
vault to get your hands on money that isn’t yours. Instead, you can
commit some sort of cybercrime. The problem (if you are a
fastidious bank robber) is that in most cases you are no longer
targeting a large anonymous institution, but are stealing directly
from the bank’s customers. However, few bank robbers have many
scruples, and there are now several more options open to such
people: interfering with ATMs, so as to get card details which you
can then use fraudulently; phishing, or trying to get people to
give you their personal details such as account numbers and
passwords (ditto); and using some kind of spy-ware to log their key
strokes, thus letting you listen in on the personal details which
you can then use in the usual way.

All these methods take advantages of weaknesses in the overall
security systems of the banks. ATM fraud is based on physical
weakness: it is possible to interfere with the actual, physical ATM
machines. The other two are based on targeting the weakest link in
the whole system, the bank’s customers and their computer system. I
call this the weakest link because it is an area over which the
bank has no control. It can try to improve security in this area by
educating its customers, and by introducing security procedures and
authentication mechanisms that make it harder for fraudsters to
impersonate genuine customers, but there are huge difficulties in
making these measures effective.

There may, however, be new incentives for the banks to take these
issues even more seriously than they do at present (and although I
am using banks as an example, the issues are the same for any
online service provider). A Miami business man is suing his bank,
because he claims the bank is liable for the losses he suffered
through fraud. Apparently his computer was infected with a virus
that logged his keystrokes, enabling someone to steal $90,000 from
his account. He says that the bank should have told its customers
about the virus and the dangers it posed.

This whole area raises a number of tricky questions:

– To what extent should banks (or other online service providers)
be responsible for educating their customers in computer security
matters? It seems to be generally accepted that they should warn
customers about not disclosing passwords and PINs, being wary of
unsolicited emails that could be phishing scams, and so on, but
what about specific viruses? Should they encourage their
customers to use spy-ware detectors, virus protection software and
firewalls? What about using public access computers, in libraries
or internet cafes? Or security measures for their home wifi

– If online service providers try to improve their security
measures, especially as far as user authentication is concerned,
their sites are often perceived as being more difficult to use,
so they lose customers. Where should the balance lie? Is it again
a question of educating the user to accept more complex

– Would biometric authentication mechanisms help? Or could packet
sniffing software be used to mimic fingerprints or iris patterns?
And in any case would users be prepared to invest in the
necessary hardware?

As a footnote, it appears that Willie Sutton never actually made
the smart alec remark that is attributed to him. Also, he was
usually known as Bill, not Willie. He actually said “Why did I rob
banks? Because I enjoyed it. I loved it. I was more alive when I
was inside a bank, robbing it, than at any other time in my life. I
enjoyed everything about it so much that one or two weeks later I’d
be out looking for the next job. But to me the money was the chips,
that’s all.”

2. Is it risky?

The latest “Banana Skins” survey has identified regulatory overkill
as the biggest risk facing banks today. The survey covered 440
respondents from 56 countries.

When I first read about this, I was amazed. Regulation the biggest
risk? You mean *regulation* is going to make banks go bust? And
surely the major thrust of most current regulation is to reduce
risk–have the regulators really got things so horribly wrong? Then
I realised that we weren’t being given the full context. Risk is
not a concrete entity, sitting out there in glorious isolation
waiting to be identified. There are only risks in relation to
goals, or other desirable outcomes.

The respondents to the survey were probably thinking of the risks
to their profits. Heavier regulatory requirements undoubtedly
result in heavier costs to those who are regulated. However, they
may reduce the risks of customers losing their money, and the risks
of the regulatory bodies failing to achieve their objectives. For
instance, the FSA make it vary clear that the risks they are
worried about are the risks to their statutory objectives;
inasmuch as these risks coincide with risks to the profits or
shareholder value of the firms that they regulate, all well and
good, but that’s really a side effect.

When you are discussing the riskiness or otherwise of various
courses of action it’s important to be very clear about the
context. The risk to what? Often, it is assumed that all parties to
the conversation share the same context, which is never made
explicit. This can lead to quite violent disagreements, which turn
out to be based on problems of definition rather than on
fundamental differences.

I’ve been at a couple of gatherings of actuaries recently at which
the discussion turned to the topic of whether cash is more or less
risky as an investment than equities. This is a question to which
there is no correct answer. Whether cash is more or less risky
depends on what you are trying to do. If you are investing in order
to meet future outgoings as they fall due, it obviously depends on
what the outgoings are. For fixed monetary amounts in the short
term, cash is beautifully risk free. For real amounts in the longer
term, especially if the inflationary outlook is uncertain, cash
starts to look much more dodgy.

In the investment world volatility is often used as a synonym for
risk. And indeed, a highly volatile investment is risky if you are
interested in getting a pay-out defined in nominal terms on a
specific date. Over a longer term, especially when you can choose
when to disinvest based on circumstances at the time, volatility
becomes less of an issue. Again, the context is all-important.

3. FSA update

The FSA have a new web site. I haven’t used it enough yet to be
able to tell whether it’s an improvement or not (I had no
particular gripes about the old site), but I do find it annoying
that a number of my bookmarks no longer work. For example, there
used to be a handy page that listed current consultations, with
dates by which responses should be received by the FSA. I haven’t
been able to track down the new version of this, if it exists. In
addition, the URLs for all existing documents have changed. The
listing of publications by date is less comprehensive than before,
as it no longer includes press releases, Dear CEO letters or

I found the Dear CEO letter on credit derivatives somewhat
interesting (I never thought I’d hear myself say those words, or
maybe I mean see myself write them…) It turns out that insurance
companies are not years behind the banks on all risk management
issues. It’s been known for some time in the insurance world that
the habit of not finalising contracts is a risky one, and there has
been a bit of a push on to try to improve practice in this
area. Well, apparently traders in credit derivatives have the same
problem. Some transactions remain unconfirmed for months. The risks
are obvious.

New consultation and discussion papers out this month:


Feedback published this month:

PS05/02 Insurance regulatory reporting: changes to the publicly
available annual return for insurers – Feedback on CP202
and CP04/1 and made text

4. Is testing worth it?

In my last newsletter I rather glibly said that, with hindsight,
the Huygens team got their cost benefit analysis completely wrong
when deciding whether to subject every system to a simulation of
the exact signals and conditions it would experience during
flight. Alan Chaplin quite rightly pointed out that this was an
over simplistic comment. As he says, it’s likely that this wasn’t
the only test that was omitted. He also gave a very succinct
summary of how the analysis should be performed:

The cost benefit analysis on the test runs something like:

Cost of test = m
Probability of finding a problem = x
Cost of fixing problem = n
Value of fixing a problem found by test = b

So cost = m + (n * x)
Benefit = (b * x)

Carry out test if benefit > cost

So if x is very small the cost benefit analysis says don’t do
it. The fact that the error did turn out to exist does not
necessarily mean that the probability a priori was wrong.

This is absolutely right. The difficulty is estimating x, n and
b. It’s difficult to know what information the Huygens team had
available at the time, and so whether they made the right decision
or not.

In my view x, the probability of finding a problem, is especially
difficult. It depends on so many things, including the coverage of
the tests you’ve done so far – and on the whole I think we tend to
overestimate the efficacy of our tests and underestimate the a
priori likelihood of mistakes.

n, the cost of fixing a problem, is not easy either, as it varies
so much depending on what the problem is. In this case they were
pretty lucky that it turned out to be possible to fix it at all, it
seems. And if you have no idea of what sort of problems, if any,
may be uncovered by your tests, how can you possibly tell what it
will cost to fix them?

And of course b, the value of fixing a problem, depends on what the
problem is. In some cases this is very high indeed: if the problem
means that the whole mission fails, for example. This is subject to
many of the same issues as estimating the cost of fixing a problem.

I have no really good answers to this. Through experience on
numbers of similar projects one gets a reasonable feel for the
centres of the distributions — ie, typical numbers and sizes of
problems found. But on a one-off project, or out in the tail of the
distributions, it’s not easy at all.

5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
( Copyright (c) Louise Pryor 2005. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email To unsubscribe, email All comments, feedback and other
queries to Archives at

The Edinburgh Bach Choir will be performing Bach’s St Matthew Passion
at St Cuthbert’s Church, Lothian Road on Saturday March 12th. See for more details. Tickets from
the Usher Hall or members of the Choir.