Author: Louise Pryor

News update 2003-10: October 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. XLSior
2. Reputations
3. FSA update
4. Storm damage
5. Newsletter information

———————————————————————
There’s a seminar on the risks of ignoring operational risk on
Thursday 27th November. Speakers are from RSA, HBOS, the BBA and
Unilever, and it’s chaired by John Sinclair, an actuary with many
years executive experience as former Group Executive Director, GRE.
As the blurb says: Operational Risk affects us all, not just
bankers. It’s vital to the management of risk and capital in the
businesses of Asset Managers, Life and General Insurers, Pensions Fund
management and Financial Services. For those thinking beyond the
minimum regulatory requirements, this morning’s seminar will provide
insight into current best practice and opportunities for implementing
improvements. Details are at
http://www.actuaries.org.uk/files/pdf/cpd/operationalrisk20031127.pdf
———————————————————————

===============
1. XLSior

I’ve just released XLSior, an Excel add-in that helps you develop
and test your spreadsheets, with automated testing, automated
documentation, easier manual documentation, sheet handling tools,
version control and auditable imports from other workbooks.
Essentially, it’s a tool that makes it much easier to do things the
right way, and should help cut the error rates in spreadsheets
at the same time as improving productivity.

One of the beta testers said “It’s a great system. It makes Excel
into a proper development tool; the automatic testing on save
feature is brilliant.”

Although there are a number of add-ins for spreadsheet auditing, to
my knowledge XLSior is the first to address the spreadsheet
development process. It’s described at http://www.xlsior.com. Let
me know (by replying to this email) if you’d like a demonstration.

===============
2. Reputations

There are often arguments in operational risk circles about whether
reputational risk is part of operational risk or not. Here are
three recent stories.

SunnComm developed a copy protection mechanism for CDs. A graduate
student at Princeton discovered that it could be bypassed by
keeping the shift key depressed when loading the CD. SunnComm
threatened to sue him under the Digital Millennium Copyright Act
(DMCA), and claimed he had damaged the company’s reputation by
publishing his results (the market value had dropped by more than
£10 million). There was a lot of publicity about this, and SunnComm
soon withdrew their threat. Undoubtedly SunnComm made a bad
situation worse through their handling of it. See
http://theregister.co.uk/content/6/33340.html for more details.

Barclays chief executive Matthew Barrett made the headlines when he
told a commons select committee that advised his children not to
borrow on credit cards because it was too expensive. The press
compared his admission to the famous episode in which Gerald Ratner
described the goods sold in his High Street shops as “crap”, and
his company’s value fell by £500 million. However, so far the
fallout for Barclays seems to have been minimal, possibly because
Barrett was only agreeing with what the financial press has been
saying for years. Also, Barclays is by no means the worst offender
when it comes to interest rates on credit cards. More details at
http://money.guardian.co.uk/news_/story/0,1456,1064581,00.html
http://news.bbc.co.uk/1/hi/business/3199822.stm

My household has received several emails from banks recently,
claiming that they want to verify our email address. We are asked
to visit a web page and entering our user-name and password. We have
not rushed to do this for a number of reasons, one of which is that
we don’t have accounts with the banks in question. However, our
main reason is that the emails don’t actually come from the banks;
they are known as phishing emails and are used to dupe users out of
confidential information that can then be used to commit fraud.

The risks to consumers are obvious: what about the risks to the
banks? Well, phishing almost certainly affects consumers’
confidence in internet banking; if they don’t understand what is
happening, they will have a fairly low opinion of a bank that
thinks they are a customer when they are not; and they may even
lose business. Halifax has recently closed its online banking
facility as a direct result of the phishing emails. Other banks and
building societies who have been targeted include NatWest,
Barclays, Lloyds TSB and Nationwide. See
http://news.bbc.co.uk/1/hi/business/3214751.stm.

We can summarise the risk implications of the three stories as
follows. SunnComm suffered an operational loss due to bad handling
of reputational issues. Barclays was subject to the risk, but no
loss was suffered. Banks are subject to an operational risk (due to
external causes) which may or may not be connected with their
reputations.

===============
3. FSA update

The steady stream of consultation papers continues, although we
have been assured by John Tiner that there will be fewer in the
future.

To me, one of the most interesting documents published recently is
not a consultation paper at all. “Review of UK insurers’ risk
management practices” is available at
http://www.fsa.gov.uk/pubs/other/review_ins_risk.pdf. It is based
on a survey of 39 firms, broadly representative of the whole
industry but excluding bancassurers and the Lloyd’s market. The
state of risk management in the insurance industry is evidently a
bit of a curate’s egg: not all bad. Progress is being made, but
there are definite areas of concern, especially that risk
management systems are regarded as a compliance requirement, rather
than core business processes.

Many of the points made are consistent with those in “Building a
framework for operational risk management: the FSA’s observations”
which was published in July and is available at
http://www.fsa.gov.uk/pubs/policy/ps142_2/index.html. They are also
backed up by the admittedly less thorough survey that was conducted
by this year’s GIRO working party on operational risk, whose report
is now available at
http://www.louisepryor.com/show.do?page=articles.

New consultation and discussion papers out this month:
—————————————————–

CP200 Regulation of long-term care insurance
CP201 Implementation of the Insurance Mediation Directive for
long-term insurance business
CP202 Insurance regulatory reporting: changes to the publicly
available annual return for insurers
CP203 Review of the listing regime
CP204 Financial groups

DP23 The FSA’s approach to implementing the Freedom of Information
Act 2000

Feedback published this month:
—————————–

CP173 Amendments to the Interim Prudential sourcebook for
Investment Businesses chapter 5 rules on consolidated
supervision
CP177 Lloyd’s policyholders: Review of compensation arrangements
CP180 Fees for mortgage firms and insurance intermediaries
CP181 The Interim Prudential Sourcebooks for Insurers and Friendly
Societies: Implementation of the Solvency I Directives
(2002/12/EC and 2002/13/EC)
CP182 Proposed changes to the Listing Rules to take account of the
introduction of treasury shares

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Storm damage

Operational risk includes the risk of loss due to external
events. So hold on to your hats as 10 billion tonnes of super-hot
gas speeds in our direction. In the past episodes like this have
disrupted television broadcasts, automated cash machines and
airline tracking systems. They are known to affect mobile phones
and even wireless computer networks. This time, electric utilities,
airline communications and satellite navigation systems have all
been affected to a greater or lesser extent; for example, power
grid operators have seen the effects in their data, but so far have
not had problems.

http://news.bbc.co.uk/1/hi/sci/tech/3210901.stm
http://news.bbc.co.uk/1/hi/sci/tech/3213541.stm

It’s a truism to say that as we become more and more reliant on new
technologies, hitherto harmless events become more significant.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

———————————————————————-
If you’re in or near Edinburgh you shouldn’t miss the forthcoming
performance of Mahler’s 8th Symphony, the “Symphony of a Thousand”, at
the Usher Hall on Sunday 30th November. It should be quite an
experience: Edinburgh Bach Choir, Edinburgh Royal Choral Union,
Jubilo, Edinburgh Youth Choir, and Sinfonia are joining forces for the
occasion. There won’t be 1000 of us, but there’ll be quite a few!

Tickets from the Usher Hall, 0131 228 1155
———————————————————————-

News update 2003-09: September 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. How many spreadsheets are out there?
2. Fraud
3. FSA update
4. Wild blackberries
5. Newsletter information

———————————————————————-
If you’re in or near Edinburgh you shouldn’t miss the forthcoming
performance of Mahler’s 8th Symphony, the “Symphony of a Thousand”, at
the Usher Hall on Sunday 30th November. It should be quite an
experience: Edinburgh Bach Choir, Edinburgh Royal Choral Union,
Jubilo, Edinburgh Youth Choir, and Sinfonia are joining forces for the
occasion. There won’t be 1000 of us, but there’ll be quite a few!

Tickets from the Usher Hall, 0131 228 1155
———————————————————————-

===============
1. How many spreadsheets are out there?

How many spreadsheets do you have in your organisation? You might
be surprised. I have had a recent (unconfirmed) report of a major
bank with 250,000 spreadsheets. Someone at another organisation I
visited recently thinks that they have 15,000.

It’s difficult to know how to interpret these numbers: there may be
many duplicates included if there was a simple count of files with
the .xls extension. Some of the spreadsheets might be little more
than one-off doodles used to add a column of figures. But by any
measure there are a lot of them. What we don’t know is how they
compare in volume to “normal” IT systems.

The usual measure of software quantity is “lines of code”.
Microsoft Office is thought to contain about 25 million lines of
code and a system described as “an extremely large corporate
banking legacy system which had been in use for over 10 years” had
4.7 million lines of code.

It’s difficult to come up with an equivalent measure for
spreadsheets, which can include both spreadsheet formulae and
Visual Basic for Applications code. Moreover, “normal” systems
contain code for user interfaces, whereas spreadsheets rely on
their own formatting facilities. However, for a spreadsheet with no
VBA, a measure based on the number of formulae cells or unique
formulae (ie, a column containing the same formula copied down
contains only one unique formula) might be appropriate.

Typically, there are between 20 and 500 formulae cells per unique
formula. It’s difficult to estimate, and varies a lot, but a
spreadsheet that takes up say 3MB on the disk might contain 20,000
– 50,000 formula cells, or say 200 – 1000 unique formulae. This
might be equivalent to 500 – 3,000 lines of code. (This is based on
the spreadsheets I’ve reviewed recently, some of which have coded
calculations in VBA rather than spreadsheet formulae, taken with my
experience of programming in various languages; your mileage may
vary).

We can assume an average spreadsheet size of say 1 – 3MB. This
might seem like a large average size, but 6 or 7MB isn’t unusual,
and I’ve come across several in the teens. The largest I’ve heard
of was 100MB.

So, at a rough guess (and it is *very* rough), 250,000 spreadsheets
might be equivalent to 100 million lines of code. On the same
basis, 15,000 spreadsheets would be equivalent to 7.5 million lines
of code.

So what we’ve got here is the equivalent of several large corporate
banking systems floating around the organisation. Of course, all
those spreadsheets have been through rigorous quality assurance
procedures, so we needn’t worry, right?

If you’d like more information about good practices for spreadsheet
development and management, do get in touch by replying to this
email.

===============
2. Fraud

When people are asked to give an example of an operational risk, by
far the most common response is “rogue trader”. In fact, there are
comparatively few of them about, especially in the insurance
industry. Other types of fraud are more frequent and, cumulatively,
give rise to larger losses.

At a recent conference Carol Sergeant, of the FSA, berated the
financial services industry for an inadequate response to the
problem. Apparently many firms do not undertake a thorough analysis
of the actual and potential financial crime risks to which they are
exposed, and are not organised to tackle them effectively.

At the same conference Rosalind Wright, the former director of the
Serious Fraud Office, accused business bosses of concealing the
extent of fraud within and against their companies. She said that
said many financial institutions were too frightened to report
fraud, fearing damage to their reputations. And of course sometimes
it’s the bosses who are perpetrating the fraud in the first place,
so they are doubly unlikely to report it.

The danger here is that firms are losing more money by turning a
blind eye to fraud than they would by trying to prevent it or deal
with it effectively after it has been discovered. An effective
management process for operational risk will cover fraud, so
Sergeant seems to be suggesting that many insurance companies’
processes fall short in this area. In the future, if the proposals
in CP190 and CP195 are adopted, the FSA’s view that a firm is not
doing enough in this area may prove expensive (see below).

Carol Sergeant’s speech is at
http://www.fsa.gov.uk/pubs/speeches/sp148.html

Rosalind Wright’s speech is reported at
http://www.thisislondon.co.uk/news/business/articles/timid67636?source

===============
3. FSA update

Following CP190, setting out proposals on capital requirements for
non life insurers, we now have CP195 for life insurers. Like CP190,
it is full of acronyms. After going through various mathematical
calculations, such as the MCR and ECR (which involve the LTICR and
WPICC) we get to the RCM. However, after all the sums are done, the
acronym that really matters is the ICG, or individual capital
guidance. This will set out the FSA’s view of the capital that is
adequate for the firm’s individual circumstances. The various
mathematical acronyms will be taken into account, but so will other
factors. Section 4.17 says “The more firms are able to demonstrate
that their risk assessment processes capture and quantify all of
the issues in our guidance, then the lower we are likely to assess
their ICG (and vice versa). This provides an incentive for good
risk management.” The overall message from CP195 is the same as
that from CP190: risk management processes matter.

New consultation and discussion papers out this month:
—————————————————–

CP195 Enhanced capital requirements and individual capital
assessments for life insurers
CP196 Implementation of the Distance Marketing Directive: proposed
rules and guidance
CP197 Reporting requirements for mortgage, insurance and investment
firms, and supplementary consultation on audit requirements
CP198 Regulatory reporting – a new integrated approach
CP199 Miscellaneous amendments to the Handbook (No. 10)

Feedback published this month:
—————————–

CP159 Appointed representatives – extending the current
regime. Feedback on CP159 and ‘near final’ rules
CP174 Prudential and other requirements for mortgage firms and
insurance intermediaries – Feedback on CP174 and ‘near
final’ text

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Wild blackberries

From Wired (http://www.wired.com/news/print/0,1294,60052,00.html):
“The eBay ad read ‘BlackBerry RIM sold AS IS!’ So Eugene Sacks (not
his real name), a Seattle computer consultant who always wanted one
of the pager-size devices to check his e-mail, sent in a bid. For
just $15.50, he bought the wireless device with 4 MB of memory. The
BlackBerry didn’t come with a cable, synching station, software or
a manual. But it did come with something even more valuable: a
trove of corporate data.

“After popping a battery into the BlackBerry’s back panel, Sacks
discovered a few things the previous owner wouldn’t have wanted him
to see — more than 200 internal company e-mails from financial
services firm Morgan Stanley and a database of more than 1,000
names, job titles (from vice presidents to managing directors),
e-mail addresses and phone numbers (some of them home numbers) for
Morgan Stanley executives worldwide.”

And then we hear that some ridiculous number of government laptops
go AWOL: “at least 60 of the 200 MoD and government laptops lost or
stolen will have contained sensitive information.”
(Report at http://news.bbc.co.uk/1/hi/technology/3109602.stm).

Meanwhile, in Australia, a couple of people just walked into a high
security computer facility and made off with two computers on a
trolley. The report says “The brazen theft has prompted Australia’s
top security agencies to conduct emergency damage audits amid fears
that terrorists may have gained access to highly sensitive
intelligence from the computers.”
(At http://www.smh.com.au/articles/2003/09/04/1062548967124.html)

We sometimes forget that sensitive information on a computer can
physically get into the wrong hands.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

News update 2003-08: August 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Web site accessibility
2. Time is money
3. Viruses multiply
4. FSA update
5. EuSpRIG
6. Newsletter information

===============
1. Web site accessibility

So you get these whizzy web site designers in, all dressed in
black, and they produce some very artistic story boards showing
possible designs. You choose one, they develop a prototype and give
you a demonstration. It looks great. Technically sophisticated.
Right up to the minute, design wise. It’s going to be a big
marketing advantage, right?

Well, not necessarily. When they demonstrated it to you, it worked
really quickly, but what would it be like downloading over a phone
line? It looked cool in Internet Explorer, but what about in other
browsers?

You may think that only a few people use other browsers, or don’t
have Flash installed, or will complain if they can’t adjust the
size of the text, but those few people may hit your pocket hard.
First, a small proportion of a lot of people is still a lot of
people, and implicitly denying them access to your site is not
going to help your marketing effort. Second, some people use other
browsers or avoid technologies such as Flash and javascript not by
choice but out of necessity. They may have visual impairments, or
not be able to use a mouse, or be disabled in some other way.

It is a legal requirement to make sites accessible to the disabled,
and the Royal National Institute for the Blind (RNIB) is apparently
backing a number of people who are taking court action. Companies
that are sued run the risk of having to pay compensation, and will
also receive some bad publicity.

Meanwhile, a survey of 96 of 99 FTSE 100 companies (don’t ask)
showed that 21 of them failed basic accessibility tests. The three
not surveyed were so impenetrable that they could not be tested at
all.

Blind sue over site failings: http://www.vnunet.com/News/1142213
Accessibility report:
http://www.business2www.com/news_article.html?news_current=6156

===============
2. Time is money and more

How much time do people in your organisation spend waiting for
spreadsheets to do their calculations? You might be surprised: it’s
not uncommon to see macros that take up to half an hour to
execute, or spreadsheets that take 10 seconds to recalculate. This
is clearly a productivity issue, but it has wider implications too.

If something takes a long time, you will do it less often. So if
you have a macro that is very slow, you are less likely to test it
thoroughly, and it is more likely to be wrong. In addition, you
aren’t going to explore the possibilities nearly as much as you
would if it took only a minute to run. For instance, you might not
spot some cases where the results are very sensitive to the inputs,
and place more trust in the calculated numbers than is warranted.

Slow recalculation can have even more pernicious effects. 10
seconds is too long to wait each time you make a change, so you
turn automatic recalculation off. You then make the changes you
want, and recalculate by hand. If you forget to recalculate, the
spreadsheet is in an inconsistent state and shows incorrect
results. Moreover, the automatic or manual recalculation setting in
Excel affects all spreadsheets, not only the one that was showing
when you changed the setting. So any other spreadsheets that you
use are likely to show inconsistent results too.

In most cases the use of some simple techniques can make all the
difference. I have speeded up macro execution from 15 minutes to 25
seconds, and recalculation time from 10 seconds to half a
second. In general, you want macros to take under a minute (with
some exceptions) and recalculation to take less than a second (with
no exceptions).

If you’ve got some slow spreadsheets that you’d like speeded up, do
get in touch by replying to this email.

Further discussion of this issue can be found in my paper at
http://www.louisepryor.com/papers/pryor-eusprig-2003.pdf
Other papers discussing various spreadsheet risks are at
http://www.louisepryor.com/articles.jsp

===============
3. Viruses and worms multiply

It just gets worse and worse. Both the Blaster worm and the Sobig.F
virus have been wreaking havoc over the last week or so. Then
there’s Nachi, which sort of fixes the Blaster problems but
introduces its own.

The following incidents have been reported:
– Defence contractor Lockheed Martin had less than 1 percent of its
systems infected, but still had disruptions.
– Railway and freight hauler CSX had to stop trains because of the
Nachi worm.
– Air Canada cancelled flights because its network couldn’t deal
with the amount of traffic generated by the Nachi worm.
– The Pentagon and US military had myriad infections of the Sobig.F
virus and the Nachi worm.
– Danish government ministries were forced to shut down their
machines after e-mails purporting to be from various government
ministers (including the grandmotherly agriculture minister)
promised “wicked screensavers” and “naughty movies” to
unsuspecting citizens.
– The Norwegian government’s central e-mail server, labouring under
a backlog of half a million messages, was forced to shut.
– The entire information technology network of Swedish-Swiss
engineering group ABB was affected by a new variant of the
Blaster worm.

Some of the press coverage has implied that only home users were
affected. This just isn’t the case. The risks are real.

To me, one of the scary things about Sobig.F is that it relies on
users. Nothing happens if you don’t open the mail attachment.
Apparently the warnings about not opening unexpected attachments
just haven’t got through.

Another problem is that Sobig.F “spoofs” the from address of the
emails it sends out. This means that it pretends to come from
another address entirely, often one it has found in the address
book of the infected machine. Virus software on mail servers often
sends automatic emails to the senders of infected messages, warning
of the infection and suggesting they do something about it. When
the from address has been spoofed, these emails go to the wrong
place, thus adding to the confusion (as well as to the number of
emails caused by the virus).

And the sheer volume of emails is amazing. Email filtering
companies were reporting millions of infected messages a day
(literally: one reported 1 million and another 2.6 million, five
times the usual number). Another company reported an infection rate
of 1 in 17 messages, compared to 1 in 138 for the previous top
threat. America Online usually checks 11 million messages a day (it
only checks messages that have attachments). At the height of the
infection it checked 31 million messages in one day, 11.5
million of which were infected. By my reckoning, this implies that
8.5 messages were probably generated by virus detection
software…

Further details at
http://news.zdnet.co.uk/internet/security/0,39020375,39115869,00.htm

===============
4. FSA update

The FSA, HM Treasury and the Bank of England have published a guide
to the Financial Services Action Plan (FSAP). The FSAP consists of
a set of measures intended by 2005 to fill gaps and remove the
remaining barriers to a Single Market in financial services across
the EU as a whole. The guide is at
http://www.fsa.gov.uk/pubs/other/fsap_guide.pdf. From the
introduction: “The guide is intended to provide an introduction to
the FSAP for the UK financial sector, corporate sector and consumer
groups, where they are not yet sufficiently familiar with its
potential impact, rather than for experts.”

New consultation and discussion papers out this month:
—————————————————–

CP191 Miscellaneous amendments to the Handbook (No. 9)
CP192 Further consultation on fees for mortgage firms and insurance
intermediaries
CP193 Professional Indemnity Insurance for personal investment
firms: proposed policy and rules
CP194 Amendments to the Training and Competence sourcebook:
including consultation on Competencies for Mortgage Advisers

DP22 Reducing money laundering risk – Know Your Customer and
anti-money laundering monitoring

Feedback published this month:
—————————–

CP163 The UCITS Management Directive: Implementing the UCITS
Amending Directive (2001/107/EC) – Feedback on CP163 and made
text
CP168 Consolidated policy statement on our fee raising framework –
As at July 2003 (including feedback on CP168)

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. EuSpRIG

In July I attended the Fourth Annual Conference of the European
Spreadsheet Risks Interest Group, held in Dublin. It was a busy
couple of days, with many interesting papers. The participants were
a varied crowd, ranging from academics through consultants to
spreadsheet users. There were many good exchanges of views.

The keynote address was given by Dean Buckner of the FSA, who is
apparently quite worried about the way many firms are handling (or
not handling) the risks of end-user computing. A big problem is
that spreadsheets (and databases – a lot of use is made of Access)
are not taken seriously: “we’ll introduce a real system soon, so
it’s not worth worrying about the spreadsheets as they’ll just
disappear.” Well, they may or may not disappear in the future (my
guess is not), but they are here now and pose real risks. If you’d
like to know more, just get in touch by replying to this email.

If you are at all interested in spreadsheet risks you should sign
up for the EuSpRIG mailing list at
http://groups.yahoo.com/group/eusprig. It’s very low volume, and
you’ll be kept up to date on EuSpRIG and the next
conference. EuSpRIG’s site is at http://www.eusprig.org/, where you
can find a full report of the recent conference.

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

News update 2003-07: July 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

Stop press
==========

Just as I was about to send this out, the FSA released “Building a
framework for operational risk management: the FSA’s observations –
Feedback on industry practice as we prepare to implement CP142”
available at http://www.fsa.gov.uk/pubs/policy/ps142_2/. The document
gives the results of a thematic review performed by the FSA. It
discusses issues firms consider as they establish operational risk
frameworks, and presents the FSA’s conclusions. It’s clearly essential
reading for everyone involved in operational risk.

In this issue:
1. Ganging a-gley
2. PDAs are dangerous
3. Counting the zeros
4. FSA update
5. Content filtering
6. Newsletter information

===============
1. Ganging a-gley

“the best laid schemes o’ mice an’ men, Gang aft a-gley” as Robert
Burns said in 1786. 217 years later, we can only agree. Recent
visitors to the web site of the Actuarial Profession at
www.actuaries.org.uk may have noticed messages from the Chief
Executive on the front page, one explaining that there were
problems with the web site and email, and then a few weeks later
one saying that everything was now working correctly. The problems
arose from major changes to the IT infrastructure.

Apparently it had become necessary to change operating systems. The
changes turned out to be both major and complex: there were all
sorts of interdependencies which meant that many things had to be
changed simultaneously. In the middle of all this, an unconnected
piece of hardware (which was due for replacement shortly anyway)
decided to give up the ghost. As part of the fallout email was
unreliable for some time, and didn’t function at all for a
period. Several communications to the members of the profession
were made by snail mail instead.

This type of problem is not unusual. It was possibly more visible
than it would have been in some organisations because the Actuarial
Profession has made good use of new technologies and relies on the
web and email for most of its communications with the membership.

It does remind us, though, that change of any sort is one of the
biggest causes of operational risk. It is often difficult to
predict the precise effects of any change; in addition, it is
extremely difficult to make full contingency plans for complex
changes. Unfortunately change eventually becomes necessary.

We all know that it is best to make several small changes instead
of one large one; to pilot the changes first; and to do the whole
thing in such a way that you can back out of the changes at any
stages. Unfortunately these things are often easier said than
done. Also, change tends to become more risky over time. Small
changes are made over an extended period, as performance is
tweaked, new functionality added, and so on. These small changes
tend to make use of what is there already, thus introducing further
interdependencies. As time goes on, and it is recognised that
interdependency creep has taken hold, so the risks of major changes
are recognised and they are less likely to occur. It’s all a
vicious circle.

By the way, most of the points I’m making here are not specific to
IT systems, but apply to any systems or processes in the
organisation.

And finally, you can’t rely on just one thing going wrong at once
(see also the April issue of this newsletter, at
http://www.louisepryor.com/showNews.do?issue=030422). This is
especially true in IT, but applies elsewhere too. Remember that
Murphy was with Burns on this one.

===============
2. PDAs are dangerous

Last month I discussed two surveys that showed how dangerous life
is, bemoaning the lack of business continuity arrangements and
effective backups. The not entirely disinterested survey this month
was conducted on behalf of PointSec, a company that specialises in
protecting mobile devices.

According to the survey, a third of employees who have PDAs are
leaving sensitive information unprotected on them. (As usual, I
have only been able to find press reports of the survey, all
written from the same press release, so I don’t know what the real
results are). Many people store use them to store business names
and addresses, bank account details, personal information,
passwords and PINs, and corporate information. Not only could a
thief or finder steal the owner’s identity, they could also pose a
real threat to the owner’s employer.

The press release is at
http://www.infosec.co.uk/page.cfm/Action=Press/PressID=4/t=m

Useful utilities for protecting confidential information on your
PDA are SplashId (www.splashdata.com, PalmOs only) and eWallet
(http://www.iliumsoft.com/site/ew/ewallet.htm, PalmOs and
PocketPC).

===============
3. Counting the zeros

There were “wild market swings” on 3rd July when someone entered an
order to sell 10,000 contracts in Chicago Board of Trade e-mini Dow
Jones Industrial Average futures. Apparently people feared that
something dreadful such as a terrorist attack had happened, but in
fact it was simply an erroneous entry in the trading system. The
trader had intended to sell 100 contracts.

These “wrong big figure” quotes are reasonably frequent. There are
many contracts and trading agreements out there that mention them
specifically (do a search on the phrase to see examples). The
trouble is that it’s difficult to stop them happening. Make the
user confirm all their entries, and they get used to hitting enter
twice instead of once, so the error just goes straight
through. Don’t make them confirm, and the error just goes straight
through. The best answer is probably to be a bit intelligent about
it: ask for confirmation in special cases, when the volume, or
price, or other measure, is significantly different from the norm
for that trader, or that contract or stock, or for the market as a
whole. It’s more difficult to implement, but more likely to stop
the problem.

Apparently at the time this happened a contract was worth roughly
$45,000, so the sell order was worth about $450m instead of
$4.5m. Seems like quite a difference to me.

There’s a description of the incident at
http://news.morningstar.com/news/DJ/M07/D03/1057291261351.html

===============
4. FSA update

John Tiner is to be the new Chief Executive at the FSA. He was not
by any means considered an outsider for the post, and on the whole
his appointment was welcomed. There is likely to be some internal
reorganisation after he takes over in September, but no radical
overhaul of the way that the FSA approaches its duties.

CP190, the long awaited consultation paper on capital requirements
for non-life insurers, has been released at last. It’s long, so few
people will yet have had time to digest it fully. I was
particularly interested in the discussion of the ICG (Individual
Capital Guidance). Basically, firms will be expected to calculate
their ECR (Enhanced Capital Requirement), learn a whole new set of
TLAs (Three Letter Acronyms), and assess their capital requirements
in the light of both their calculated ECR and how their individual
risk profile differs from that used in the ECR calculations. The
ICG will be guidance from the FSA on this, and will be consistent
with the Arrow risk assessments. It looks as if there will be a
real incentive to have a robust and workable risk management
framework.

This is all consistent with the FSA’s stated aim of getting better
risk awareness and management amongst senior managers. The FSA also
say that the current rate of failure through insolvency is too
high, and that higher levels of capital should help to cut the
rate. The implication is that better risk management practices
should also reduce insolvencies, a theory that is borne out by the
paper on insurance company failures issued late last year (see
http://www.louisepryor.com/showNews.do?issue=030120 and
http://www.fsa.gov.uk/pubs/occpapers/op20.pdf).

The FSA has recently conducted a review of liability insurers,
during the course of which they identified a number of good
practice indicators. Showing every sign of extreme consistency, a
number of these are to do with the insurer encouraging good risk
management practices in their policy holders.

New consultation and discussion papers out this month:
—————————————————–

CP187 Insurance selling and administration & other miscellaneous
amendments
CP188 Clarification and revision of financial promotion Rules and
Guidance
CP189 Report and first consultation on the implementation of the
new Basel and EU Capital Adequacy Standards
CP190 Enhanced capital requirements and individual capital
assessments for non-life insurers

Feedback published this month:
—————————–

CP136 Individual capital adequacy standards
CP143 Integrated Prudential sourcebook – Feedback on chapters of
CP97 applicable to insurance firms and supplementary
consultation
CP153 Alternative trading systems
CP157 Examination Framework for Retail Financial Services
CP160 Insurance selling and administration – the FSA’s
high-level approach to regulation
CP165 Miscellaneous amendments to the Handbook (No.6)
CP167 With-profits governance and the role of actuaries in life
insurers
CP175 Miscellaneous amendments to the Handbook (No. 7)

DP19 Options for regulating the sale of “simplified investment
products”

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Content filtering

Last month I discussed the dangers of some viruses and fake viruses
that are currently doing the rounds. Some readers failed to receive
the benefit of my wisdom because their firewalls refused to let the
email through, thinking it might be dangerous. This happened
because they use “content filtering”: blocking emails that contain
certain content, usually words that are generally associated with
spam or snippets of text that are contained in undesirable
emails. The last issue contained the word j d b g m g r, and this
was enough to trigger blocking at a number of sites.

It’s difficult to know exactly, but there were at least 6 domains
that blocked the email completely, and another 2 or 3 that delayed
delivery (presumably it had to be checked out by hand). This is out
of a total of about 90 domains that the newsletter is delivered
to. There may have been more delivery failures that I never found
out about. The issue is available in full on the web site at
http://www.louisepryor.com/showNews.do?issue=030626 if you missed
it.

In this case there was no real harm done by content filtering, but
in general it is not a good idea, as its hit rate on innocent email
can be too high. Given any word or phrase that might be filtered on
(pick any body part that only 50% of people have, for example) and
it is possible to come up with an example of a totally legitimate
email containing that word. Admittedly content filtering is more
reliable in a corporate context than it is for general service
providers such as ISPs, but there are still many exceptions. My
last newsletter was, I like to think, one of them.

I had some interesting correspondence with the support staff at
some of the affected domains: some were extremely helpful and
friendly, but had no easy way of overriding the block, others were
more complacent. For example, one said “We screen for viruses and
hoaxes and are authorative for our internal users – any other virus
related communications are potential social engineering attacks,
and are filtered at the internet mail gateways.” In other words, in
this organisation the internal users are kept in ignorance of the
exact nature of the threats. I believe this is a high risk
policy. It will work so long as their filtering at internet mail
gateways is totally effective, and is always updated before a
potential threat arrives. It will not work if there is any way of
getting round the protection; for example, taking a laptop home and
using it to read email from a personal mail account. To my mind,
informed users are more likely to be safe users.

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email news-subscribe@louisepryor.com. To
unsubscribe, email news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.

News update 2003-06: June 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Pasting is dangerous (1)
2. Pasting is dangerous (2)
3. Do you have effective backups?
4. FSA update
5. Virus (and non virus) dangers
6. Newsletter information

===============
1. Pasting is dangerous (1)

Next time you paste some figures into a spreadsheet, be afraid. Be
very afraid. Someone at TransAlta Corporation managed to lose $24m
(Canadian) through a “clerical error” in pasting into an Excel
spreadsheet. The spreadsheet in question was used to submit bids
to the New York Independent System Operator (New York ISO) for May
2003 transmission congestion contracts (TCCs). It’s not really
important to understand what TCCs are: the crux of the problem is
that you put bids in at the end of one month that affect the prices
you pay during the next. Once submitted, the bids can’t be
retracted. Because of the spreadsheet error, TransAlta ended up
with more TCCs than they wanted, and at higher prices than they
intended. They didn’t spot the error until they were notified that
their bids had been successful.

There are at least two operational failures evident in this
story.

First, the whole thing was an accident waiting to happen if pasting
numbers into the spreadsheet was part of the normal process of
preparing these bids. Manual pasting is notoriously prone to
errors. If data has to be transferred between spreadsheets,
automatic links (used with appropriate precautions) or automated
copying and pasting via macros (ditto) are much safer. If the
pasting was unusual, then extra care should have been taken and
more thorough testing should have been performed.

Which brings us to the second failure. How come the error wasn’t
found before the bids were submitted? The answer has got to be
that there was inadequate review and testing. I suspect that there
weren’t formal tests, and that the reviewing was not systematic. It
isn’t difficult to devise effective reviewing procedures that
should pick up this sort of problem (we are told that the error was
caused by mismatching bids and prices, which implies that the error
was due to misaligning the pasted region).

A transcript of the investor conference at which the error was
explained can be found at http://dupleish.notlong.com. A brief
summary is at http://www.theregister.co.uk/content/67/31298.html.

===============
2. Pasting is dangerous (2)

Just the other day a similar error was discovered before it was too
late. The error came to light in a university examiners meeting:
the spreadsheet containing the marks for a small joint degree (3 or
4 students) was found to be wrong. The numbers just didn’t make
sense, as the average marks were inconsistent with the range of
individual marks. The numbers were recalculated by hand before the
end of the examiners meeting, and no harm was done, let alone $24m
worth.

The problem was caused (again) by copying and pasting: the formulae
were correct in the first row, but not in the later rows. History
doesn’t relate, but presumably it was a question of relative versus
absolute references.

The spreadsheet had actually been checked before the meeting by the
Chair of one of the departments involved. Unfortunately, the check
had been confined to the first row, which was indeed correct.

There are several morals to this story.
– be very afraid when copying and pasting
– don’t rely on checking the formulae, look at overall
reasonableness too
– if you’re checking a representative sample of formulae, remember
that the first row (or first column) probably isn’t
representative.

===============
3. Do you have effective backups?

A survey of 100 IT managers at Fortune 1000 companies indicates
that about 60% of corporate data is stored on desktop PCs or on
laptops; and 80% of PC users don’t have effective backups for data
or configuration settings.

Meanwhile, another survey showed that 80% of UK SMEs have no
business continuity plan in place at all.

If true, these figures show that there is an accident waiting to
happen, but it should be noted that both surveys were conducted by
interested parties. CoreProtect (http://www.coreprotect.com) sells
products to back up configuration settings, and Xbridge
(http://www.xbridge.com) is trying to encourage firms to take out
business continuity insurance. I have been unable to track down any
information about either survey on their respective web sites.

The surveys were reported by out-law.com (available at
http://empfissa.notlong.com) and Yahoo
(http://biz.yahoo.com/prnews/030528/law046_1.html).

I may not have confidence in the actual figures quoted in these
reports, but I certainly believe that backups from desktops and
(especially) laptops are not as thorough as could be desired. Users
have a nasty habit of storing files locally rather than on shared
server drives. Of course, with laptops they pretty much have to do
that.

Of course in some ways the use of laptops may help business
continuity; the laptop (and its unbacked up data) may be available
when the servers aren’t. But it’s probably more likely that
something bad will happen to the laptop (injury, theft, or
whatever) and the server will remain intact, but without the vital
data.

===============
4. FSA update

This has been a very light month for consultation and feedback.
However, there have been a couple of somewhat interesting
publications.

The Annual Report for 2002/3 was issued in the middle of June. It
comes in two flavours, the full version with 221 pages and a
summary with 48 pages. One of the most useful parts is the
organisational chart at the end (of the summary version, at least;
I haven’t downloaded the 8.59MB of the full version).
Both versions are available from
http://www.fsa.gov.uk/pubs/annual/ar02_03/index.html

On 12th June Michael Foot gave a speech to the City and Financial
Conference on Operational Risk on “Operational risk management –
Best practice strategies in light of final Basel proposals.” He
talked about why operational risk has a higher profile than in the
past, and why this will continue into the future. The FSA is taking
operational risk very seriously, as it affects three of the four
statutory objectives. It has recently undertaken a survey of
operational risk management practices, which will shortly be
published. A big issue is going to be implementation of Basel 2 as
the timetable is fixed (and the proposals aren’t final yet). Foot
didn’t talk about the EU proposals and their effect on non
banks. The speech is available at
http://www.fsa.gov.uk/pubs/speeches/sp135.html

New consultation and discussion papers out this month:
—————————————————–

No consultation or discussion papers have been issued since my last
newsletter

Feedback published this month:
—————————–

CP169 Professional Indemnity Insurance for personal investment
firms

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Virus (and non virus) dangers

A few weeks ago we heard a lot about the Bugbear.B virus. It was,
we were told, going to create havoc in financial institutions; it
contained a list of domain names, and if it found itself in one of
those domains it would turn on key-logging capabilities and then
email sensitive data, including passwords, to specified email
addresses.

So what happened? Not a lot, really. Many people were infected,
but they were mostly home users rather than financial
institutions. It turns out that most financial institutions have
pretty effective anti virus and firewall software in place
(sometimes too effective; it can be difficult to get genuine files
through some of them). On the other hand, home users often don’t
have up to date anti virus protection, and only rarely use
firewalls.

I usually feel a little smug at this point; even without anti virus
software I would be less vulnerable than many people. I don’t use
Outlook, and in particular I use a mail program (The Bat!) that
doesn’t use the Windows address book. This means that even if I am
infected, I won’t infect other people. Also, I use the option to
read my email as text rather than HTML. One of Bugbear.B’s nasty
little habits is to use a bug in some versions of Internet
Explorer, whose code is used to display HTML mail in Outlook and
some other mail readers. This bug means that some mail attachments
are automatically opened; if they contain viruses, all is lost.

Meanwhile, there was another spate of the hoax jdbgmgr virus. Every
so often I get sent email telling me that there is a new virus on
the loose, and that I can tell that I have been affected if there
is a file called jdbgmgr.exe. The message will go on to say that
anti virus software won’t detect the file, and that I should delete
it immediately, before sending email to everyone whose address I
have to warn them of the problem.

The file isn’t detected by the anti virus software because it’s not
a virus. It’s a perfectly harmless file that will be found on most
Windows systems. Luckily it’s not often used, so deleting it won’t
do any harm.

I find it amazing that people will jump in and delete a file from
their computer on the say so of a random acquaintance. The people I
have received this hoax from are not, on the whole, people I am in
regular contact with, and are typically not people I would consider
to be particularly knowledgeable about computers (the exception was
a Professor of Computer Science, but he may not often get his hands
dirty nowadays). It’s very lucky that more damage hasn’t been done;
people could completely wreck their systems if they deleted the
wrong files without knowing what they were doing.

It is very easy to tell if email like this is genuine: use
Google. Just search for “jdbgmgr” (in this case) and see what you
get.

Symantec’s information on Bugbear.B can be found at
http://bobwomia.notlong.com

Free firewalls for home use include Tiny Personal Firewall
(http://www.tinysoftware.com/home/tiny2?la=EN) and ZoneAlarm
(http://www.zonelabs.com/store/content/home.jsp).

The Bat! is at http://www.ritlabs.com/the_bat/. Other free, or
cheap, mail readers that don’t use the Windows address book are
Eudora (http://www.eudora.com) and Pegasus Mail
(http://www.pmail.com/index.cfm).

Symantec’s information on the hoax virus is at
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email news-subscribe@louisepryor.com. To
unsubscribe, email news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.