Author: Louise Pryor

News update 2004-05: May 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Models and risk
2. Phishing and security
3. FSA update
4. Weather perils
5. Newsletter information

===============
1. Models and risk

The cause of the collapse of Terminal 2E at Charles de Gaulle
airport has not yet been determined, and there is a distinct lack
of instant blame to be found in the press coverage. There are two
main potential sources of problems: either there was something
wrong with the design, or mistakes were made during construction.
One pundit apparently said that since the design had been computer
assisted, the fault was more likely to be in the construction. I
must say I found this comment to be a bit of a non sequitur. It
appears to assume that the use of a computer model in the design
means that the design was fault free, thus showing much more
confidence in computer models than is reasonable.

I am willing to believe that the computer aided design packages
that architects use have few bugs in them. In other words, the
calculations performed by CAD packages are likely to be correct
(but it’s difficult to believe that they are totally bug
free).

One of the major benefits of using models, whether for designing
airport terminals or for financial management, is that they are
simpler than the real world, making analysis much easier. The trick
is to omit the unnecessary detail, while retaining the important
characteristics. Sometimes that’s easier said than done: look at
what happened with the Millennium Bridge. It’s usually the leading
edge projects that show up this type of basic problem. Paul Andreu,
the architect of Terminal 2E, said that it was “bold … but
nothing revolutionary”, thus implying that the model probably
wasn’t being pushed beyond its usual envelope of applicability.

Ove Arup, the engineers responsible for the design of the
Millennium Bridge, have a good web site explaining how they went
about fixing the problem. They developed a new model, but had to
calibrate it by having people walk across the bridge and measuring
the effects. Calibrating financial models can be more difficult, as
you can’t operate a company for a few years under different
conditions to see what happens. You have to use the data that is
available, rather than generating the data that you’d like.

http://www.arup.com/MillenniumBridge/

===============
2. Phishing and security

We are all now aware of the phishing scams that regularly appear in
our mailboxes. They usually consist of a slightly ungrammatical
email asking you to go to some web site to verify your personal
details and password. The web site appears to be that of a bank, but
of course isn’t. In response, banks now warn their customers not
to believe emails purporting to come from them that ask for such
information.

But what happens when you get an unsolicited telephone call,
purporting to be from your bank, asking you to answer security
questions before continuing with the conversation? Should you
answer them, or should you suspect some kind of scam? How can you
tell whether the call is really from your bank? You might expect,
on the grounds of consistency, that such calls would never be
genuine. The risk of giving out confidential information over the
telephone would seem to be pretty much the same of giving it out to
a web site.

However, it seems that at least one bank really does behave in this
way. The calls in question turn out to be for marketing purposes,
and it’s not clear why the customer’s identity has to be verified
through security questions. It is my view that the bank in question
is increasing the risk that its customers will be victims of scams
in the future. There is little direct risk to the bank, but the
indirect risks in terms of reputation could be significant.

http://catless.ncl.ac.uk/Risks/23.37.html#subj10

===============
3. FSA update

Don’t be misled by the title of CP04/08 into thinking that it
contains nothing of interest. Section 8, entitled “Proposed
Amendments to the Listing Rules”, proposes that UK listed companies
should be required to demonstrate the quality of their internal
controls to their auditors. The proposal follows on from the issue
of the new Combined Code on Corporate Governance in 2003 (available
at http://www.fsa.gov.uk/pubs/ukla/lr_comcode2003.pdf). The FSA are
proposing that auditors be required to review the ten Combined Code
provisions relating to audit and accountability, all of which are
objectively verifiable. They would also like auditors to be
required to consider whether the directors’ “Comply or Explain”
statement has been made after due and careful enquiry, but have
decided not to push ahead with that proposal for the time
being. The latter option would effectively require auditors to
review the processes by which the directors’ review the internal
controls.

New consultation and discussion papers out this month:
—————————————————–

CP04/7 Lloyd’s: integrated prudential requirements, and changes to
auditing and actuarial requirements – Including feedback on
CP178
CP04/8 Miscellaneous amendments to the Handbook (No.14)
CP04/9 Fees issues arising from the regulation of mortgage
business and general insurance broking – including feedback
on CP04/2

Feedback published this month:
—————————–

PS04/13 Bundled brokerage and soft commission arrangements –
Feedback on CP176
PS04/14 Regulation of long-term care insurance – Feedback on CP200
and made text
PS04/15 Consolidated policy statement on our fee raising
arrangements

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Weather perils

I have now been on three walking holidays running with unseasonably
warm weather: north Italy in May 2003, northwest Scotland in August
2003, and northeast USA in May 2004. At times, in all three places,
it was warm enough to make walking unpleasant. So, if you like the
heat, I advise you to go to the west of Ireland in October, which
is my next planned holiday. Or maybe not.

Another risk of going on holiday is that work builds up while you
are away, and you don’t have time to catch up with everything.
That’s why this newsletter is shorter than usual, and slightly
delayed.

If you are in Edinburgh this weekend, consider going to the
Edinburgh Bach Choir’s concert on Saturday evening. We’ll be
performing Handel’s Dixit Dominus, Vivaldi’s Magnificat, Bach’s
Cantata no 182, and Purcell’s O Sing unto the Lord. See
http://home.clara.net/pryor/ebc/concerts.html#may for more
details.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

News update 2004-04: April 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Corporate culture and dominance
2. Passwords
3. FSA update
4. Fraud
5. Newsletter information

===============
1. Corporate culture and dominance

Another month, another report on a large corporation drawing
attention to shortcomings in its corporate culture. Last month it
was NAB; this month it’s Shell. The details are different, of
course, which just goes to show how many different things it is
possible to get wrong. In Shell’s case, there was an over-dominant
chief executive as well as a poor culture of compliance. The report
was prepared by Davis Polk & Wardwell for Shell’s Group Audit
Committee. The executive summary and recommendations are now
publicly available from the Shell web site through
http://tinyurl.com/26t6q

It all makes interesting reading. If you treat it as referring to
the reserves of an insurance company it stays interesting, and much
of it remains relevant. There are some obvious changes: substitute
FSA for SEC for example, and don’t take too much notice of the
units involved (boe, or barrels of oil equivalent). But some useful
points emerge.

As far as regulations and guidelines are concerned, everybody
concerned needs to know what they should be complying with and how
they should do it. Also, documentation is vital.

“… not only were the Shell Guidelines non-compliant with the
SEC’s proved reserve definitions in key areas, but even
assuming they had been compliant, they lacked clarity
necessary to facilitate compliance…”

“Several control failures could be attributed to the short
tenure of certain individuals in key functions. … upon
rotation, complete and detailed handover notes should form the
basis for a formal transfer. ”

It’s important that there are clear lines of responsibility, and
that they go right up to the top.

“evidence of diminished responsibility for line reporting of
reserves figures, especially in joint ventures where the SEC
definition of proved reserves was not important to local
interests.”

No details are given of the methodology used to derive the reserve
estimates, but we can assume that some sort of model is used. It
must presumably estimate the amount of oil in the ground, future
economic conditions and costs of extraction. However, “Reserve
reporting and the booking of reserves are viewed as much an art as
a science.” So it may well be that the final figures are based on
model results rather than being directly from the models; we just
can’t tell. In any case, you can usually get pretty much any result
you want out of a model by adjusting the assumptions. This is the
classic GIGO (garbage in, garbage out) syndrome: you should only
believe the results of a model if you have confidence in the inputs
and in the calculations that are performed.

===============
2. Passwords

Would you tell someone your corporate password in exchange for a
bar of chocolate? 122 people out of the 172 recently surveyed at
Liverpool Street station did (that’s 71%). That’s 122 people who
really should have known better (apparently about half of them did
require some persuasion, but not much: the interviewer commented
that it was probably the name of their child or pet).

In fact, if you are going to tell your password to anyone, a market
researcher is probably pretty safe. We aren’t given the details,
but the risk certainly depends on whether the recipient of the
information knows your name and where you work. Also, we don’t know
how many of the people gave false passwords in order to get the
chocolate (we aren’t told what type of chocolate, or how big the
bar was, either).

But you really should keep your password to yourself. The survey
provides anecdotal evidence of how insecure many passwords are. The
best story is probably the following:

“One interviewee said, ‘I work in a financial call centre,
our password changes daily, but I do not have a problem
remembering it as it is written on the board so that every
one can see it.’ ‘What everyone?’ our stunned researcher
asked. ‘Yes, although I think they rub it off before the
cleaners arrive,’ replied the worker.”

It’s clear that many people find it difficult to keep track of all
the passwords they need. If you have passwords for several
different systems, and have to change them all monthly, the number
soon mounts up, without even considering all those pesky
web sites. Some people get round the problem by using the same
password for everything. Others write them down, even on sticky
notes attached to their screens. Many people choose passwords that
are easy to remember, even though they may also be easy to guess.

If you’re wondering how you should choose your passwords, here are
some tips:

– Longer is on the whole safer, but you have to trade off safety
against actually being able to remember it.

– Words that are in the dictionary are bad. People’s names are
bad. Including mixed case, numbers, and punctuation marks is
good.

– You could try interleaving two words. Basing a password on my
name would give lPoRuYiOsRe for example. I don’t find this type
of password very easy to get right when typing it in, and you
certainly shouldn’t base it on anything as obvious as your own
name.

– Try using the initial letters of a phrase. Basing your password
on a famous soliloquy would give tbontbtitq. You shouldn’t choose
anything that obvious, and it’s good to put some of the letters
in upper case and add in some numbers.

– Use a password generator. There are a number available on the
web, or as software for your machine. They usually let you choose
what characters should be included (eg a-z, A-Z, 0-9, punctuation
marks), the length of the password and whether it should be
pronounceable (and hence easier to remember).

– If you have to change your password regularly, use some kind of
system. But don’t make it as obvious as the one cited in the
survey: “I use my wife’s name and add the current month.” At
least put the month in the middle of the name, but even better
come up with something a bit more sophisticated. You shouldn’t
base any type of password on your wife’s name, for a start.

If you do have to write your passwords down, keep them in a safe
place (not in your desk drawer), and don’t make it obvious what
they are. An alternative is to keep them in a special application
on your PC or PDA, such as SplashId (www.splashdata.com, PalmOs
only) and eWallet (http://www.iliumsoft.com/site/ew/ewallet.htm,
PalmOs and PocketPC).

Remember, it’s to your advantage for other people not to know your
password. You don’t want their nefarious deeds blamed on you.

===============
3. FSA update

Earlier this month the FSA released a report entitled “Management
of credit risks within a trading environment – Review of market
practices 2003.” Don’t be put off this by its title. Even if credit
risks in a trading environment are not your cup of tea it contains
some useful advice. For example, a large number of front
office and back office systems in many cases lead to a complex and
opaque IT infrastructure. The risks are obvious, and are
exacerbated by mergers between firms.

The report also notes that some important risk management functions
may be delegated by a UK-regulated subsidiary to a global function
located in head office. It points out that local management remains
accountable to the FSA for the outsourced functions, and that in
some cases it was not easy to extract the relevant credit limits
and exposures from the global systems.

The report is available at
http://www.fsa.gov.uk/pubs/other/credit_risk.pdf

New consultation and discussion papers out this month:
—————————————————–

CP04/6 Changing the FSA’s Complaints Scheme

Feedback published this month:
—————————–
PS04/5 Financial Services Compensation Scheme management expenses
levy limit and other funding issues – Feedback from CP209
and made text
PS04/8 Regulatory reporting – a new integrated approach: Feedback
on CP198 and made text
PS04/9 Reporting requirements for mortgage, insurance and
investment firms, and audit requirements for insurance
intermediaries – Feedback on CP197 and made text
PS04/10 Amendments to the Training and Competence sourcebook:
Feedback on CP194
PS04/11 Implementation of the Distance Marketing Directive –
Feedback on CP196 and made text
PS04/12 Implementation of the Insurance Mediation Directive for
long-term insurance business – Feedback on CP201 and
‘near-final’ rules

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Fraud

KPMG have analysed 100 of the fraud cases that they have
investigated over the past two years. They conclude that fraud is
mostly committed by men, by senior managers, and in the finance
department. The study has some limitations: it ignores frauds that
have not been discovered, and the report doesn’t say how the 100
cases were chosen. Some of the results aren’t particularly
surprising. Most senior managers in the finance department are men,
and filing clerks just don’t have the same opportunities.

There are some interesting points that emerge. Only one in three
cases had a single perpetrator. Many frauds could have been
prevented by a stronger control environment. Very few of them were
detected by internal reviews; more were exposed by whistle-blowing.
In nearly 20% of cases no sanction was taken against the
fraudster. In nearly 70% of cases there was no publicity about the
fraud. It seems that many firms are more worried about their
reputations than about preventing further fraud. And we do have to
wonder how many frauds never come to light.

http://www.kpmg.co.uk/news/detail.cfm?pr=1941

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

News update 2004-03: March 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. What happened next
2. Believing your results
3. FSA update
4. Fit for purpose
5. Newsletter information

===============
1. What happened next

Back in January we heard that rogue traders had caused a loss of
A$360m at National Bank of Australia (NAB). At the time, it wasn’t
clear exactly what had gone wrong (see my January newsletter at
http://www.louisepryor.com/showNews.do?issue=040128). Much more is
known now that PWC have issued a report on the whole episode.

One of the contributory factors was a weakness in NAB’s
controls. The bank closed out its book for the previous day at
about 8am, but the process of checking transactions did not begin
until 9am. The traders could reverse the false transactions during
this one-hour period.

However, a more serious failing was the culture of “arrogance” at
the bank. Bad news was kept from the board and senior management,
while warnings from competitors and the regulator about unusual
transactions had met with an “aggressive” response from NAB. The
manager of the four rogue traders knew they had breached their
limits but failed to take action. The PWC report says that
irregularities started in 2001.

The four traders concerned have been dismissed, as has their
immediate manager (who was said to be “asleep at the wheel”). Three
more senior managers have also left the bank, including the head of
risk. They weren’t directly involved, “but it happened on their
watch”.

As NAB’s new CEO said, someone in management should have noticed
when a business unit budgeted to earn a profit of $37 million a
year claimed to have made $42 million in a day. If something seems
too good to be true, it probably is.

http://www.theage.com.au/articles/2004/03/12/1078594562304.html
http://www.smh.com.au/articles/2004/03/12/1078594564982.html

===============
2. Believing your results

Complex actuarial models are increasingly prevalent in both life
and general insurance companies. However, it is not enough simply
to have these models and use their results: you must also have
confidence in the results, and be able to justify your
confidence. The FSA’s emphasis on systems and controls and the
effects of Sarbanes-Oxley are making themselves felt.

So, do you believe the results of your models? And if so, why?
Unless you are trusting in blind faith, you should be relying on
the following:

– The model specifications are explicit and have been approved by
the relevant people. If you don’t know what your model is meant
to be doing, you can’t tell if it’s right.

– The model implementation has been thoroughly reviewed and tested
against the specification. Testing is bound to uncover errors,
which with any luck can be fixed, so you must also have a system
of change tracking and version control, so you can tell which
version of the model you are using.

– Garbage in, garbage out is a truism but none the less valid for
that. You should take as much care over the data and assumptions
that feed in to the model as you should over the model itself.
Again, some sort of version control is often necessary.

– Finally, you need to be able to trace any results back to the
actual version of the model, data and assumptions that were used
to produce them. The process of actually running the model must
have a good audit trail.

You should bear these issues in mind whatever the size and
complexity of the model concerned, though obviously the
sophistication of the processes you use will vary with the
significance of the results. And by model, I mean anything from a
single sheet spreadsheet through to a major piece of software.

If you’d like more information on this topic please let me know.

===============
3. FSA update

A few more CPs this month, but those FSA folk have been speaking a
lot! See http://www.fsa.gov.uk/pubs/speeches/index-2004.html for
some of the texts. The publication of the Penrose report and
realistic reporting for life insurance have been in the news a lot
recently, and not surprisingly a number of the speeches refer to
these issues.

New consultation and discussion papers out this month:
—————————————————–

CP04/3 Reforming Polarisation: A menu for being open with consumers
– Including feedback on CP166
CP04/4 Mortgage firms and Insurance intermediaries: Funding of the
Ombudsman and Compensation schemes
CP04/5 Miscellaneous amendments to the Handbook (No. 13)

Feedback published this month:
—————————–

PS04/4 The FSA’s approach to implementing the Freedom of
Information Act 2000 – Feedback to DP23 and our final
publication scheme
PS04/6 Conflicts of interest in investment research – Feedback on
CP205 and made Handbook text
PS04/7 The CIS sourcebook – A new approach – Feedback on CP185 and
made text

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Fit for purpose

Sometimes you’d think that special purpose software would be more
suitable than off the shelf. And sometimes it seems that good old
fashioned non electronic technology would be just the
job. Apparently the hotel at One Aldwych in London has a fancy
computer controlled toilet system. The system failed recently, and
whenever any of the guests wanted to use any bathroom facilities
(toilet or shower) they had to be escorted to the corporate
headquarters in the building next door. The failure lasted for a
couple of days. The control system was based on Windows.

http://catless.ncl.ac.uk/Risks/23.20.html#subj2.1

And sometimes the problem isn’t the technology, it’s the
people. There has recently been another explosion in the volume of
spam sent out by computer worms. Many worms rely on the user
opening a mail attachment to make them work. Surprisingly, even
after all the publicity, it appears that many people still click on
attachments that they aren’t expecting from people that they don’t
know. The newest worms try to get round anti-virus software by
zipping the attachment up and password protecting it. The user then
has to unzip it using the password supplied in the accompanying
mail message. Apparently there are enough people around who will go
to all that trouble to do the worm’s work for it.

I have often heard software developers say something along the
lines of “Surely no user would ever … ” do something incredibly
stupid. Good software designers and developers have learnt never to
underestimate the potential carelessness or lack of knowledge of
users. It’s Murphy’s law writ large.

Just to hammer the point home, this applies to spreadsheets too; if
it is possible for a user to misunderstand the purpose of a
parameter or to run a macro under the wrong circumstances, it is
bound to happen sooner or later. And yes, it will probably be
sooner.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

News update 2004-02: February 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. $1.6 billion loss
2. Events
3. Bugs
5. FSA update
6. Pirates ahoy!
7. Newsletter information

===============
1. $1.6 billion loss

In May 1995 Carolyn Whittaker of Alabama took out a life insurance
policy for $25,000 with Southwestern Life through insurance agent
James Perry. The premiums were $50 a month. The policy lapsed in
October 1996, but Perry continued to collect the premiums until
December 2001, when he suggested that she let the policy lapse.
Whittaker was suspicious and contacted Southwestern, who told her
that her policy had expired in 1996. Whittaker sued.

She sued Southwestern as well as Perry, claiming that Southwestern
should have known that Perry was dodgy (I paraphrase slightly; he
had a prior verdict against him of $5 million for the same
conduct). She was awarded $10 million in compensatory damages and
$800 million in punitive damages from each party, making a total of
over $1.6 billion. Note that her actual loss was presumably between
$3100 (the premiums she was defrauded of) and $25,000 (the value of
the policy).

Southwestern, which is now owned by Swiss Re, plans to appeal.
Apparently under Alabama law punitive damages are limited to three
times compensatory damages, which would bring the total loss down
to $40 million each for Southwestern and Perry.

However, even a $40 million operational loss falls into the high
impact bucket. And however much is eventually awarded, the legal
costs are hardly likely to be insignificant. How would you have
assessed the risk of not vetting your intermediaries properly?

http://www.businessinsurance.com/cgi-bin/news.pl?newsId=3454

===============
2. Events

The actuarial profession is holding a seminar on Financial Risk on
23rd March. Details are available at
http://www.actuaries.org.uk/files/pdf/cpd/finrisk2004.pdf. It looks
as if it will be an interesting day, with a good line up of
speakers, and certainly not over actuarial in nature.

On 22nd March a paper on “Quantifying operational risk for general
insurance companies” will be presented at a Sessional Meeting of
the Institute of Actuaries
(http://www.actuaries.org.uk/files/pdf/sessional/sm20040322_notice.pdf).
I can whole-heartedly recommend this excellent paper, as I am one
of the co-authors. Much of the paper is applicable to operational
risk in general, rather than being specific to any sort of
insurance company. It will be available at
http://www.actuaries.org.uk/files/pdf/sessional/sm20040322.pdf from
early March.

===============
3. Bugs

Remember those power outages in the US last August? Guess what! A
software bug helped to cause them. It turned out there was a
previously unknown bug in an energy management system supplied by
General Electric. “It had never evidenced itself until that day,”
said spokesman Ralph DiNicola. “This fault was so deeply embedded,
it took them weeks of poring through millions of lines of code and
data to find it.”

The bug was triggered by a unique combination of events and
alarm conditions on the equipment it was monitoring, DiNicola
said. When a backup server kicked-in, it also failed, unable to
handle the accumulation of unprocessed events that had queued up
since the main system’s failure. Because the system failed
silently, the operators were unaware for over an hour that they
were looking at outdated information on the status of their portion
of the power grid.

You may remember that in March 2003 there were a series of system
failures at Danske Bank, some of which were caused by a hitherto
unknown bug in the DB2 database software – see my April 2003
newsletter at http://www.louisepryor.com/showNews.do?issue=030422;
the relevant item is entitled “Troubles come in threes (or more)”.

Both incidents involved bugs that had not been discovered in the
presumably thorough testing performed by the vendors, or in the
years of use in many installations. To me, the lesson here is that
you can never assume that there are no bugs. Just think of all the
bugs in Excel (see the last couple of newsletters for details). It
would be a big mistake to believe that any software that you write,
including spreadsheets or models developed with specialist
packages, can buck the trend. Performing more testing is never
pointless (although it may not be cost-effective).

http://www.securityfocus.com/news/8016

===============
4. FSA update

This is the first time since this newsletter started that there
have been no new consultation papers between issues. Admittedly,
that’s only just over a year, but it really does seem as if the
flow is drying up. This probably shouldn’t surprise us, as there
have been so many issued on so many topics that they must have
covered a large part of the possible ground. It looks as if the
start up phase is finally coming to an end.

New consultation and discussion papers out this month:
—————————————————–

None

Feedback published this month:
—————————–

CP188 PS04/3: Clarification and revision of Financial Promotion
Rules and Guidance – Feedback on CP188

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Pirates ahoy!

Are you using unlicenced software? Maybe an evaluation copy that
you have never bothered to register? Or using more copies than you
have paid for? If so, you could be in big trouble if FAST, the
Federation Against Software Theft have their way
(http://www.fast.org.uk/). They have recently announced that they
will use criminal proceedings to crack down on organisations
misusing software. Up to now they have tended to use civil
proceedings. Geoff Webster, CEO, said “The message to company
directors is clear – check your software licenses! Until then you
cannot be 100% certain that you’re not acting illegally and on the
way to receiving a criminal record. Software publishers who are
members of The Federation will not tolerate anyone making illegal
use of software.”

Meanwhile, the Business Software Alliance (http://www.bsa.org/uk/)
say that organisations from within the IT sector are the biggest
offenders. This is not surprising when you realise that they
probably use more software than organisations in other industries,
but on the other hand you’d think that they’d be more conscious of
the issue. After all, they’re the ones that lose out.

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

——————————————————————–
The next concert of the Edinburgh Bach Choir will be in Greyfriars
Kirk, Edinburgh, on Saturday 20th March at 7:30 pm. The programme
includes: Vittoria Mass O Quam Gloriosum est Regnum – Tavener Two
Hymns to the Mother of God – Britten Hymn to St Cecilia – Bruckner
Four Motets – Bach Jesu, Meine Freude. Details at
http://www.bigfoot.com/~edinburghbachchoir. Tickets from the Usher
Hall, Queen’s Hall, Assembly Rooms, or members of the Choir.
——————————————————————–

News update 2004-01: January 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. NABbed?
2. Random problems in Excel 2003
3. FSA update
4. Worms and more
5. Newsletter information

===============
1. NABbed?

Those rogue traders have been at it again. The National Bank of
Australia has discovered that four of them had managed to conceal
unauthorised trades over a period of three months. The latest
estimate of the losses is A$360m. The rogue traders had been using
currency options to bet that Australian and NZ dollars would fall
against US dollars. When this failed to happen, they apparently
tried (and for some time succeeded) to slip extra trades past
management in order to cover their losses.

The problem was discovered by a whistle blowing colleague, rather
than by the bank’s systems. The general manager of group corporate
affairs said “The systems were in place to detect trades that had
gone wrong on all the trades that were properly reported. But in
this instance, the trades were unauthorised and not properly
recorded and that’s why they weren’t picked up in the first
instance by the systems.”

Meanwhile, one of the traders concerned has claimed that in fact
the bank had authorised a breach of risk limits.

Some obvious points and a few questions:

– Fraudsters, as well as the merely incompetent, will always report
their trades (or other transactions) correctly. Yeah, right. A
system that only detects problems with properly reported trades
is not going to catch all the problems.

– It’s not necessarily a failure that the problem was detected by a
whistle blower. At least it *was* detected, rather than running
for a longer period.

– Is the reward structure wrong? It’s all very well paying for
profits, but most traders are going to get it wrong sometimes.
The carrot and stick have to be in balance and allow for the
realities of life.

– We don’t actually hear of that many rogue traders. Is this
because they are few and far between, or because they are seldom
caught?

– It should be impossible for there to be any doubt about whether
the trades were in fact authorised.

– The more complex the operation, the higher the operational
risk. Some derivatives (the problem trades were currency options)
are very complex and are correspondingly more difficult to
monitor.

The complexity issue is important. Take Parmalat; admittedly the
owners and management committed the fraud, rather than having it
committed against them, but the principle remains. Where are the
complex areas in your business? Reinsurance, perhaps, or project
financing. Would it be possible for a determined person to pull the
wool over your eyes in those areas?

http://news.bbc.co.uk/1/hi/business/3432605.stm
FT coverage at http://tinyurl.com/23m63
(I like the FT site but their URLs are just ridiculous!)

===============
2. Random problems in Excel 2003

Last month I mentioned that the RAND function doesn’t work in Excel
2003. It’s meant to return a random number between 0 and 1, but in
fact it sometimes returns negative numbers.

Microsoft have now released a hotfix (their term, not mine) that
they claim fixes the problem. They also claim that it fixes several
other problems, a number of which they had not previously
mentioned. Some of these problems cause Excel to quit unexpectedly;
at least it’s obvious to the user when this happens (although you
may lose your work). Others are more subtle.

– Sometimes the cells in a range are not actually updated when the
range is recalculated.

– When you use a VBA macro to calculate your worksheet, a custom
function from a different worksheet may appear to run.

– When you create multilevel subtotals for your data in an Excel
2003 worksheet, the totals may appear staggered incorrectly, and
may exclude grand totals for some functions.

There is no indication these cases that anything is awry. If you
use Excel 2003, your spreadsheets may not show the correct
results.

The hotfix is not downloadable. You have to contact Microsoft and
convince them that you need it. Also, the installation process
includes editing the registry by hand.

We are expecting the first proper patch to Office 2003 in late June
2003. Meanwhile, Excel 2003 has bugs and is still being touted as
having an improved random number generator.

http://support.microsoft.com/default.aspx?scid=kb;en-us;833618

===============
3. FSA update

There’s been a change in the numbering system for consultation
papers and policy statements. The numbers now include the year, and
policy statements get their own numbers (so the feedback to CP193
is PS04/2, rather than PS193).

The FSA have released the Financial Risk Outlook 2004 at
http://www.fsa.gov.uk/pubs/plan/fro_2004/index.html. It provides a
good indication of what the FSA think their priorities will be over
the next year (though obviously things might change during the
year; “Events, dear boy, events” as Macmillan so eloquently put
it). The short to medium term risks that are singled out are:

– Financial decisions are being taken by consumers on the basis of
inadequate understanding

– Corporate sector credit risks for firms have moderated, but UK
household sector credit quality could deteriorate

– The life insurance industry faces continued challenges

– Firms will have to deal with a wave of legal, accounting and
regulatory reforms

– The terrorist threat remains high

– The impact of financial crime may still be under-estimated

In the longer term, the FSA mentions the following issues:

– Consumers are having to take ever greater responsibility for
planning their financial affairs

– Consumers have responded to low interest rates by borrowing more

– Demographic change is likely to add to the pressures on both
public and private finances

– The influence of the European Union on the financial sector is
steadily growing

New consultation and discussion papers out this month:
—————————————————–

CP208 Consultation on funding the Financial Ombudsman Service
2004/2005
CP209 Financial Services Compensation Scheme management expenses
levy limit and other funding issues
CP04/1 Miscellaneous amendments to the Handbook (No. 12)
CP04/2 Fees and fees policy 2004/05

DP25 Development of transaction monitoring systems
DP26 Developing our policy on fraud and dishonesty

Feedback published this month:
—————————–

CP133 Access to criminal records
CP183 Standardising past performance
CP187 Insurance selling and administration & other miscellaneous
amendments
CP191 The prohibition of insurance against financial penalties
imposed by the FSA
CP192 Further consultation on fees for mortgage firms and insurance
intermediaries
CP193 Professional Indemnity Insurance for personal investment
firms

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Worms and more

So there’s another worm on the rampage. I know this because (a) all
the techie newsletters I get have told me (b) my virus software has
found half a dozen copies of it in email and (c) I am getting a lot
of bounce messages. Either this worm or another one or just an
ordinary s p a m m e r is spoofing the from addresses so that
emails appear to come from a domain that I own. So
postmaster@yourdomain.com sends an automatic message to
nonexistent.person@mydomain.com to say the the message that was
sent to whoever@yourdomain.com couldn’t be delivered because there
is no such person. In July last year the proportion of total email
that was spam passed the 50% mark and we are now up to about 58%
(see http://www.brightmail.com/spamstats.html). And this is without
counting all the extra mail generated by bounce messages. I’m not
sure it includes worm related traffic, either.

On a more cheerful note (at least *I* think it’s more cheerful),
version 1.10 of XLSior is now available (http://www.xlsior.com).
Just in case it escaped your notice, XLSior is an Excel add in that
supports best practice in spreadsheet development – and saves you
time. Let me know if you’d like further information or a
demonstration.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

News update 2003-12: December 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Human error causes loss
2. Random problem in Excel 2003
3. FSA update
4. Seasonal risks
5. Newsletter information

———————————————————————-
Apologies if you didn’t receive last month’s newsletter; it was
filtered out as spam by some hosts, because it contained a four
letter word (pointless pen without alternative provides salacious
entertainment). The full uncensored version is available at
http://www.louisepryor.com/newsArchive.do.
———————————————————————-

===============
1. Human error causes loss

Last week two travel companies announced their results. First
Choice achieved a record profit of 47.8m pounds on 2.26bn pounds
turnover. MyTravel achieved a loss of 911m pounds on 4.2bn pounds
turnover. Quite a difference. A number of reasons were given by
MyTravel, but the biggest problem appears to have been that they
got their pricing wrong, so they were selling holidays at a
loss. The operating loss (before exceptional items) was 358m, much
of which can presumably be put down as an operational loss (in risk
management terms).

The large operational losses that reach the newspapers are usually
due to causes such as fraud or a rogue trader. It’s not often that
we see such large losses that are, in the words of Peter McHugh,
MyTravel’s chief executive, due to “human error.” He went on to
say:

“The idea was that we should become more efficient, and people
decided – properly I guess – that in order to do that we needed
to upgrade the technology so we could add accounting and other
things.

“Other than being old, the old systems worked fine. The new
systems were supposed to make things better but, when you do a
major upgrade, the systems need to talk to one another and have
interfaces and, as the new system was implemented, they turned
off the old system and lost the interface between them.

“The execution was poor and a lot of management information
that we used to get disappeared. We went through a period in
2002 when we had less information than we used to have.”

In summary, they thought that a new IT system would change their
lives for the better. When it was deployed, they found that it did
not replace the full functionality of the old system. They were
missing information that had previously been available, and that
was used in their pricing models. This made them get their prices
wrong. Ouch.

This story illustrates some well known truisms.

First, change is risky. It really is one of the major sources of
risk. People say this often, and they are right.

Second, no IT system is a silver bullet. One of the seminal essays
in software engineering is one by Fred Brooks, in his classic
collection “The mythical man-month.” The essay is entitled “No
silver bullet – essence and accident in software engineering” and
its summary reads: “There is no single development, in either
technology or management technique, which by itself promises even
one order-of-magnitude improvement within a decade in productivity,
in reliability, in simplicity.” Like many of his essays, the
overall message is not limited to software engineering.

Third, garbage in, garbage out (GIGO). If you haven’t got good
information going in to a model, you are most unlikely to get good
results out however much effort you put in. The most elaborate
algorithms can’t entirely compensate for poor or missing data.

Fourth, an IT system doesn’t exist in isolation. It has to connect
to other systems, and be used by people. These interfaces are often
more complex than is realised.

Finally, we can’t put all the blame on the specific IT system
involved in this mess. It was a new central reservations system,
the same system that First Choice uses.

===============
2. Random problem in Excel 2003

Don’t use Excel 2003 if you use the RAND() or RANDBETWEEN()
functions in your spreadsheets. It appears that a bug crept into
the final release that wasn’t present in the betas. RAND() was,
apparently upgraded so that it produced a better distribution of
pseudo-random numbers between 0 and 1. The trouble is that the
numbers it produces may be more random, but aren’t always in the
correct range. Oops!

There has been some discussion of this on various mailing lists and
newsgroups. Apparently the problem is reasonably easy to replicate
if you have Office 2003 (I don’t, so I can’t confirm this).
Microsoft has not yet acknowledged that there is a problem, let
alone done anything to solve it.

Many people who use Excel don’t use the built in statistical and
random number functions anyway, as in the past they have been
inaccurate in some circumstances (see my November newsletter for
some discussion of this). The more sophisticated users take their
statistical functions from other sources, or write their own. It
seems that they are right to do so.

The original reports of the bug came from Woody’s Watch at
http://www.woodyswatch.com/office2003/

===============
3. FSA update

Admittedly it’s less than a month since my last newsletter, but the
number of new consultation papers and feedback papers is still very
low. On the other hand, there have been a lot of Dear CEO letters,
final notices and speeches.

Among the latter was a speech by David Strachan emphasising that
capital adequacy is not a substitute for effective risk management
(http://www.fsa.gov.uk/pubs/speeches/sp163.html). He was talking
about insurance companies, but the point is valid across the whole
of the financial services sector (and indeed beyond).

New consultation and discussion papers out this month:
—————————————————–

CP207 Treating with-profits policyholders fairly

DP25 Development of transaction monitoring systems
DP26 Developing our policy on fraud and dishonesty

Feedback published this month:
—————————–

CP155 Tier 1 capital for banks: Update to IPRU(BANK)

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Seasonal risks

If you’re planning to go down any chimneys this month, make sure
you’ve done the appropriate contingency planning. Is your model of
the relative circumferences of you and the chimneys using up to
date inputs? Is the assumption of cylindricality appropriate? You
also have to consider what you would do in the event of a transport
failure (Rudolph may get breathalysed and done for being drunk in
harness). Global warming may affect your speed of delivery, as the
sleigh runs slower on sludge than snow. Your processes are
important too. I wouldn’t recommend either wrapping all the
presents before labelling any of them, for example, or labelling
any of them before wrapping. All in all, an operation full of
operational risk.

Even I couldn’t work in a reference to how important it is to test
your spreadsheets and financial models in the rest of the
newsletter, so I’m doing it here. XLSior, the Excel add-in I have
developed that provides automated testing, documentation and more
now has a new pricing structure: see www.xlsior.com for
details. There have been several releases over the last couple of
months to fix bugs and provide better functionality. Another one is
due towards the end of this month; it will include the ability to
use passwords when using XLSior to protect and unprotect multiple
sheets.

Have a very happy Christmas, and all the best in 2004.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

News update 2003-11: November 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. $1.2 billion was an honest mistake
2. Updating software
3. FSA update
4. I just can’t do it…
5. Newsletter information

===============
1. $1.2 billion was an honest mistake

About 2 weeks after releasing their third quarter earnings figures,
Fannie Mae had to restate their unrealised gains by $1.2
billion. This was apparently the result of “honest mistakes made in
a spreadsheet used in the implementation of a new accounting
standard.” Honest mistake or not, $1.2 billion is a lot of money:
more than the $70 million of Provident Financial in March, or the
$24 million lost by TransAlta in June (see the relevant issues of
my newsletter for details). It’s reasonably common to see errors of
half a million or so, but they don’t usually make the headlines.

Apparently Fannie Mae picked up the error as part of the normal
processes of preparing their financial statements for
filing. Presumably they failed to pick it up as part of their
review process before issuing the earnings statement. They claim
that the event demonstrates that their accounting processes and
controls work as they should.

Better late than never, I suppose, but I can’t help thinking that
their processes and controls should have picked up the problem at
an earlier stage. We don’t know whether the mistake was in the model or
the implementation (ie, whether they had understood the accounting
standard correctly but had made a mistake in the implementation of
that understanding, or whether they had misunderstood the
new accounting standard). It’s entirely possible that their
reviewing processes don’t separate the two issues, thus making it
harder to find either kind of mistake.

Let me know if you’d like any of your spreadsheets reviewed, or if
you are not sure that your processes and controls are as effective
as Fannie Mae’s. Fannie Mae apparently continue to be proud of
theirs, so self-confidence isn’t necessarily a foolproof guide.

A statement from Fannie Mae is at
http://www.fanniemae.com/ir/issues/financial/103003.jhtml

===============
2. Updating software

It’s out! The eagerly awaited (by some) Microsoft Office 2003 has
been released, and still in the year of its name, too. And the
first patch, as well. Given that there are still many people out
there still using Office 97, we have to wonder how many will
upgrade. There aren’t huge improvements to the basic Word and Excel
capabilities, and most users don’t even know about half the
functionality that’s there in the older versions anyway.

As I’ve pointed out before, having so many different versions
around can create compatibility problems. It’s not so bad within a
single organisation, where you can hope that IT are on top of the
problem and enforcing uniformity, but one of the claimed advantages
of Office is that it’s a de facto standard. The problem is that
there are just enough new useful features in each version to create
problems when the files are read by older versions (eg, some
animations in PowerPoint don’t work so your presentation looks odd;
VBA, the macro language, changed a lot between 97 and 2000).

Some Excel users will face more serious problems when upgrading to
Office 2003. There were errors in the implementations of some of
the statistical functions in the Analysis ToolPak in Excel 2002 and
earlier, which have been corrected in Excel 2003. This means that a
workbook developed in an earlier version and recalculated in Excel
2003 may produce different results. The differences are described
in Microsoft Knowledge Base Article 828888 at
http://support.microsoft.com/default.aspx?kbid=828888.

The article gives the impression that it is only in rare cases that
the corrections will make any difference. That may be true, but
it’s not very comforting for those people that they do affect. One
of the errors concerns the calculation of the standard normal
cumulative distribution function; the old implementation is
basically wrong out in the tail. Another one comes up in functions
that involve sums of squares: the old version is inaccurate if
there are many significant digits in the data but very little
difference in the values. I don’t find it hard to imagine either of
those situations coming up in practice.

If you think your calculations are affected, you then have to
decide whether to stick with the old version and go for
consistency, or upgrade and cope with the differences.

XLSior would be the ideal tool for checking the results either
before or after an upgrade. (Apologies for the slightly strained
link: see www.xlsior.com for details of automated testing in
Excel).

===============
3. FSA update

The first edition of a new newsletter, Insurance Matters, billed as
being on General Insurance Issues, appeared this month. It’s
available at http://www.fsa.gov.uk/pubs/other/im_newsletter1.pdf.
It should be compulsory reading for anyone involved in regulatory
matters in a general insurance company, or in a firm that has any
of the activities soon to come under the FSA’s umbrella: mortgage
lending, administration and sales advice; the sale and marketing of
long term care insurance; and the sale and administration of general
insurance policies.

The near-final text on prudential risks systems and controls was
issued at the end of October: it’s at
http://www.fsa.gov.uk/pubs/policy/ps_pru/index.html. The text is
the result of the following consultation papers and their feedback:
CP97 (Integrated Prudential Sourcebook), CP128 (Liquidity risk) and
CP142 (Operational risk). This text is expected to come into force
no later than 31 December 2004. It’s not quite complete yet, as it
doesn’t contain the chapter on group risk, which is still being
consulted on in CP204 (Financial groups).

New consultation and discussion papers out this month:
—————————————————–

CP205 Conflicts of interest: Investment research and issues of
securities
CP206 Miscellaneous amendments to the Handbook (No. 11)

DP24 Liquidity risk in the Integrated Prudential sourcebook: a
quantitative framework

Feedback published this month:
—————————–

CP171 Conflicts of Interest: Investment Research and Issues of
Securities
CP186 Mortgage regulation: Draft conduct of business rules and
feedback on CP146

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. I just can’t do it…

Is missing a penalty kick an operational risk? Am I missing out on
a really good analogy for risk management here? There was a
distinct lack of ecstasy on the streets of Edinburgh on Saturday,
when the English at last failed to snatch defeat from the jaws of
victory. The national press, based in London, thought that the
victory was wonderful. The national press, based elsewhere, were a
bit more circumspect – see “You might think it’s all over, but for
many the nightmare has just begun” at
http://www.scotlandonsunday.com/scotland.cfm?id=1292532003

Meanwhile I can’t help pointing out a couple of the weirder
operational risk related stories in the press recently.

“A German man fired for running up a euro 10,000 bill surfing porn
at work claims he was treated unfairly because his employers failed
to take into account his addiction to Net porn before giving him
the boot.” at http://www.theregister.co.uk/content/6/34075.html.

“Camera phones represent a significant liability or security risk
to business” says Jack Gold of the META group as reported at
http://www.out-law.com/php/page.php?page_id=banningcameraphone1067428194.
He encourages employers to ban them, which may be a slightly
paranoid measure to take.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

———————————————————————-
If you’re in or near Edinburgh you shouldn’t miss the forthcoming
performance of Mahler’s 8th Symphony, the “Symphony of a Thousand”, at
the Usher Hall on Sunday 30th November. It should be quite an
experience: Edinburgh Bach Choir, Edinburgh Royal Choral Union,
Jubilo, Edinburgh Youth Choir, and Sinfonia are joining forces for the
occasion. There won’t be 1000 of us, but there’ll be quite a few!

Tickets from the Usher Hall, 0131 228 1155
———————————————————————-