News update 2005-12: December 2005
===================
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).
Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to news-subscribe AT louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe AT
louisepryor.com. (Change ” AT ” to “@”). Newsletter archived at
http://www.louisepryor.com/newsArchive.do.
In this issue:
1. You get what you wish for
2. Supplying risks
3. Mistakes will happen
4. Seasonal greetings
5. Newsletter information
===============
1. You get what you wish for
Every child knows that you have to be careful when you make a
wish. It’s something that Midas learned the hard way.
Unfortunately, it’s something that a number of other people are
learning the hard way, too, even though they weren’t the ones to
make the wish.
Imagine you are designing a mobile phone, in the early days of
their use. You realise that you should have a way of locking the
keypad, so that calls aren’t made by accident when the phone is
knocking around in someone’s pocket or bag. Then you introduce a
further safety measure: it will always be possible to dial the
emergency numbers (999 or 122) when the keypad is locked; in an
emergency, nobody is going to want to fiddle around unlocking the
keypad.
The unintended consequence is that the centres handling emergency
calls get around one call every four seconds that is from a mobile,
and on which there is no communication at all, just silence. Most
of these calls are from phones that have accidently dialled 999 or
112. After all, if the 9 key is jogged by accident, it’s really
quite likely that it’s going to be jogged 3 times. Worse, if it’s
jogged 3 times by accident, it’s often jogged three more times, and
three more times, so there are many mistaken calls from the same
phone.
The operators answering the emergency calls have procedures to deal
with this problem. If there is nobody speaking into the phone, they
ask the caller to tap on the screen; if they get no response, they
put the call through to an automated system, which asks the caller
to press one of the keys. If there is any response at all, the call
is put through to the police.
Now, imagine you are badly injured, alone except for you
mobile phone. You can just manage to dial 999, but can’t get the
phone near your head, so can’t speak into it or hear what the
operator is saying to you. You hope that by making several calls in
quick succession the operators will realise that something is up,
trace the calls, and send help.
Sadly, no help will arrive. You are just one of the 900 silent
calls per hour coming in from mobiles. The operators can’t tell the
difference between you and a jogged keypad in someone’s bag.
There are no easy answers, given that mind reading is impossible.
Make keypad locking lock out the emergency numbers, and there will
be some people who can’t dial the emergency number in an
emergency. There just aren’t the resources to send help to all the
silent, repeated calls, just on the off-chance that they are
genuine. And as things are, some people won’t get help when they
need it.
Could all this have been foreseen? With hindsight, obviously, but
at the time? I don’t know. But the good news is that the number of
silent calls is decreasing as the proportion of folding mobiles
increases.
There was a programme on BBC Radio 4 that covered this and related
issues. The transcript is available from
http://news.bbc.co.uk/1/hi/programmes/file_on_4/3708232.stm
===============
2. Supplying risks
There has been some comment in the press recently about how
companies are getting more worried, and hence more clued up about,
risks to their supply chains. This worry is easy to understand in
the case of manufacturing companies, who often have long supply
chains with very little slack. Others should also be worried.
I heard an interesting story recently about a transport company in
the USA. Just as Hurricane Katrina struck New Orleans, they had
finished a major risk identification exercise. It had been an
extremely thorough affair, they thought, and they were feeling
pretty satisfied with a job well done. Of course they missed a
biggy. They hadn’t realised that all the steel they needed for
their fleet replacement programme passed through New Orleans. Ouch!
Closer to home (to my home, at any rate) the explosion at the
Buncefield oil depot raised many health and safety fears; it was
very lucky that nobody was killed, and the fallout from the smoke
doesn’t appear to have been as bad as it could have been. But some
of the knock-on effects were unexpected.
One of the businesses affected was Northgate Information Solutions,
whose head office is right next door to the depot. The building was
seriously damaged, and the on-site backup systems were, as they
say, “rendered inoperable”. Not surprising, really. Northgate had a
business continuity plan which they were able to put into action,
but there was a break in service. A number of their customers were
quite seriously affected. These included Richer Sounds, the hifi
retailer, whose web site and email systems were affected, the
Labour party, whose web site was down, and Addenbrooke’s hospital,
in Cambridge. Their internal information system of patient data was
in the destroyed Northgate building. They had to revert to manual
records for a period.
Who would have thought that an explosion in Hemel Hempstead would
affect the running of a hospital in Cambridge? (For those who don’t
know, the two are about 50 miles apart.) But of course, with modern
technology there is no particular reason why the data centre should
be anywhere near the hospital. And it’s not just large
organisations who outsource some of their IT functionality; my own
web site is hosted in Canada. Nowadays there are long supply chains
even in the services sector, subject to just the same risks as any
other supply chain. There are around 50 other oil depots like
Buncefield around the country; I wonder how many other data centres
are near them.
http://www.theregister.co.uk/2005/12/14/oil_blast_prangs_newlabour/
http://news.yahoo.com/s/ap/20051212/ap_on_bi_ge/britain_explosion_business
===============
3. Mistakes will happen
To death and taxes I would add mistakes, as being something you can
be sure of. However hard you try, mistakes will happen. You may be
able to reduce the number of mistakes, or limit the damage they
cause, but you can’t totally eliminate them.
Trying to reduce their incidence and severity are both valid risk
management strategies, but in most cases it’s a mistake (another
one) to rely totally on the former. It’s always a good idea to have
good ways of picking up the pieces when something does go wrong.
This is a lesson that Takuo Tsurushima, chief executive of the
Tokyo Stock Exchange (TSE), and two of his colleagues, have learned
to their cost. The nightmare started when a broker mis-keyed a
deal, placing an order to sell 610,000 shares in J-Com at 1 yen
apiece instead of 1 share at 610,000 yen. The company in question
had only around 15,000 shares outstanding, so selling 610,000 of
them was always going to be problematic. Commentators have said
that more or less anywhere else in the world such an aberrant order
would have been spotted and could have been de-keyed. In fact, it
appears that the mistake was spotted quite quickly, but the TSE
systems had no method of cancelling the order.
Oddly, there was a similar case almost exactly four years earlier,
when a trader intended to enter an order to sell 16 Dentsu shares
at 610,000 yen but actually keyed in 610,000 shares at 16 yen. The
recent press coverage doesn’t appear to have picked up on this
coincidence, though it does seem odd: is 610,000 a special number
in some way?
There are some obvious things that could be done to try to prevent
errors of this type, such as some sanity checks on the number of
shares in a deal, and the price, asking for confirmation if they
are outside certain limits. Of course, these things always turn out
not to be as simple as they seem to an outsider, and we have all
encountered situations where you just click through vital warning
boxes, because too many of the wretched things appear.
http://www.economist.com/displaystory.cfm?story_id=5310558
http://catless.ncl.ac.uk/Risks/24.12.html#subj8.1
===============
4. Seasonal greetings
I do like it when I can say “I told you so.” Back in June I wrote a
piece in my newsletter about hidden data in documents, and pointed
out that the problem existed in Excel as well as Word; early in
November Westpac was forced to halt trading on its shares and
deliver its annual profit briefing a day early after it
accidentally sent its results by email to research analysts. It had
sent out a spreadsheet containing the results for previous years;
it also contained the latest results, obscured by blacking out the
relevant cells. The cells may have looked black on the screen, but
it didn’t need advanced technical skills to find out what they
contained.
http://makeashorterlink.com/?I23D21A5C
May all your communications be intended, all your spreadsheets
reliable, and all your risks well managed in 2006!
===============
5. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2005. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email news-subscribe AT
louisepryor.com. To unsubscribe, email news-unsubscribe AT
louisepryor.com. All comments, feedback and other queries to
news-admin AT louisepryor.com. (Change ” AT ” to “@”). Archives at
http://www.louisepryor.com/newsArchive.do.