Category: Newsletter

The newsletters I sent out roughly monthly from December 2002 to April 2007.

Newsletter Oct 2004

Post author By Louise Pryor
Post date 28 October 2004

News update 2004-10: October 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Spitzer risk
2. Getting rid of risk
3. FSA update
4. You don’t have to be a rocket scientist
5. Newsletter information

===============
1. Spitzer risk

There is a new component of operational risk: Spitzer risk, the
risk that Eliot Spitzer will launch an investigation into your
industry, attacking widely accepted ways of doing business.

A simplified summary of the current investigation: Some insurance
brokers accept contingent commissions from the insurers with whom
they place business. These are based on the volume of business they
place with that insurers. The brokers therefore have an incentive
to place business with insurers who offer these commissions, even
if they are not offering the best rates. Their interests are thus
not fully aligned with those of their clients. Moreover, it is
claimed that at least one broker asked insurers to submit dummy
quotes, so that the quote that would give them the incentive
commission would appear to be the cheapest.

The effects of Spitzer’s investigation are being felt much more
widely than the particular brokers against whom a suit has been
filed. A number of firms have said that they will stop accepting
contingent commissions. Share prices in brokers have fallen. Credit
ratings have been cut. Share prices in some insurers have fallen,
at least partly due to the fear that they will have to bear
extensive legal costs. The scope of the investigation is
broadening.

These effects aren’t limited to the USA; insurance broking is a
global business and there are fears that abuse may be present in
the UK market as well. The FSA don’t regulate insurance brokers
until 1st of January; there is no indication as to whether they
will launch an investigation in this country.

Potential losses to individual firms from Spitzer risk include
legal costs, potential fines, loss of revenue (no more juicy
contingent commissions in this case), losses due to lower credit
ratings and opportunity costs of spending management time on coping
with the fall-out or on developing new business models. There may
also be more general reputational damage. Many of these costs are
incurred by firms that are not directly involved as well as those
that are.

How should firms manage Spitzer risk? It’s tricky. Once it
happens, ie once Spitzer (or someone else) has launched an
investigation into some aspect of your industry, or one closely
connected with it, you should add it to your risk register and try
to handle the fall-out as best you can. Hence those brokers who
have said that they will stop accepting contingent
commissions. Even in this case you have to be aware of the
potentially widespread effects.

But how do you identify a Spitzer risk before it happens? There you
are, doing business in the normal way, just like everyone else in
your industry: how can you tell if some part of normal business
practice is likely to be considered worthy of investigation by a
regulator? And not necessarily your own regulator, either? You
really have to think outside the box. Is there any aspect of your
business that you wouldn’t like to have to explain and justify to a
hostile journalist? (Or other interrogator). Or any aspect that can
be described as “just the way things are done”, but isn’t how you’d
do it if you were starting from scratch?

But it’s very difficult to step back and see things as an
outsider. And how can you tell which aspects somebody else might
pick up on? It’s all part of coping with a changing context. What
was accepted 50 or even 20 years ago may not be acceptable now,
with the increased emphasis on openness and transparency.

===============
2. Getting rid of risk

Outsourcing, both explicit and implicit, will always be a source of
risk. Sometimes you just don’t have a choice of whether to
outsource or not, but the risk is still there.

For example, it’s not really practical to compile your own real
time market data. You have to use one of the major suppliers, such
as Reuters. But that means you depend on them, and if something
goes wrong you suffer. A couple of weeks ago a circuit breaker
failed at the Reuters Global Technical Centre in London (GTC-L). It
caused disruption to about 25% of the systems supported from the
building riser that was affected. An hour or so after the
first incident a second riser failed due to overloading, which
meant that two out of the four risers supporting GTC-L lost
power. The data feed was eventually down for about 10 hours. There
was nothing that Reuters’ customers could do about it.

http://www.finextra.com/fullstory.asp?id=12678
http://www.computerweekly.com/Article134316.htm

There has been a steady stream of scare stories about the risks of
outsourcing call centres offshore: operators offering unauthorised
credit to customers, and criminal gangs organising operators to
commit fraud against customers. Apparently some call centres are
not fully complying with the Data Protection Act, either.

However, the outsourcer is the party that is subject to the Data
Protection Act, as the Data Controller, so it’s the outsourcer’s
duty to ensure compliance. If there are problems, they will come
home to roost with the outsourcer, either as specific losses or as
reputational damage, and quite possibly both. You just can’t get
rid of the risk.

http://tinyurl.com/3p2ln

Here’s another risk that you can’t evade. Apparently many managers
are worrying about the increasing use of instant messaging
(IM). People use it to avoid the content filtering and monitoring
that is applied to email, believing that it is exempt from
compliance regulations such as Sarbanes-Oxley and Basel II. Of
course it’s not: it’s a communication just as much as emails and
telephone conversations are.

Many companies have banned it, as a security and compliance risk,
but the ban is extremely difficult to enforce. (From the technical
point of view it’s hard to distinguish IM traffic from other,
authorised, web traffic).

So whatever you do, you are still left with the risk. You ban IM,
people use it, you run into compliance problems… it’s no use
saying “not my fault guv.”

http://news.zdnet.co.uk/internet/security/0,39020375,39170374,00.htm

===============
3. FSA update

Back in December 2003 the FSA issued a Discussion Paper on fraud –
DP26: Developing our policy on fraud and dishonesty. It is
available at http://www.fsa.gov.uk/pubs/discussion/26/index.html.
In a recent speech Philip Robinson outlined the conclusions that
have been reached, and described the FSA’s new approach, called
Fighting Fraud in Partnership. The speech is available at
http://www.fsa.gov.uk/pubs/speeches/sp208.html.

From a risk management point of view, fraud is a significant
component of operational risk. Apart from the rare, high profile,
high loss cases such as BCCI and Barings, there is a great deal of
high frequency, low impact fraud. The ABI estimates that fraud
losses account for 3.7% of all insurance premiums, for example.

Robinson said that firms are not taking fraud as seriously as they
might. “But even when fraud mitigation is good business, it doesn’t
always follow that a firm will do it well. A project that we did
recently on insurance claimant fraud threw this into sharp relief
for me. In thirty small and medium-sized firms who responded to our
survey, every £1 they spent on fraud prevention yielded £3.80 in
savings; and yet fraud budgets were tight, with 71% of the firms
having no earmarked fraud budget at all.”

New consultation and discussion papers out this month:
—————————————————–

CP04/15 Quarterly consultation (No. 2)
CP04/16 The Listing Review and implementation of the Prospectus
Directive – Draft rules and feedback on CP203

Feedback published this month:
—————————–

CP203 See CP04/16 above
PS04/21 Regulatory fees relating to mortgage and insurance
mediation regulation – Feedback on CP04/4 and CP04/9 and
made text

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. You don’t have to be a rocket scientist

Maybe you remember all the excitement back in September about the
Genesis space probe, which was going to be grabbed by stunt pilots
as it parachuted to earth. Unfortunately the parachutes didn’t
open. We now know that the switches that were to trigger the
parachute were installed upside down. It appears that the design
drawings were faulty.

http://www.newscientist.com/news/news.jsp?id=ns99996541

This is a superb example that everything has to be right for things
to work: in this case, the implementation was OK but the
specification was wrong. This principle applies to financial models
as well as spacecraft. I gave a talk at the GIRO conference (annual
convention of general insurance actuaries in the UK) a couple of
weeks ago about how to believe your models. The slides are
available from http://www.louisepryor.com/show.do?page=articles.

You may not have to be a rocket scientist to operate a fax machine,
but it seems that being a lawyer isn’t always good enough. A lawyer
put a 100 page document in the fax machine the wrong way up,
and so faxed 100 blank pages through to the destination. The
document wasn’t received by a deadline, and an appeal succeeded
against fines worth 100m euros.

http://news.zdnet.co.uk/business/legal/0,39020651,39170375,00.htm

A new version of the World Bank Technology Risk Checklist is
out. From the introduction: “The World Bank Technology Risk
Checklist is designed to provide Chief Information Security
Officers (CISO), Chief Technology Officers (CTO), Chief Financial
Officers (CFO), Directors, Risk Managers and Systems Administrators
with a way of measuring and validating the level of security within
a particular organization.”

It’s available from
http://www.infragard.net/library/pdfs/technologyrisklist.pdf
Strangely, I haven’t been able to track it down at the World Bank
site. Maybe it’s a fake. But it looks as if it may be useful,
anyway.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2004. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

Newsletter Old site

Newsletter Sep 2004

Post author By Louise Pryor
Post date 30 September 2004

News update 2004-09: September 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Actuaries and financial modelling
2. Financial web sites
3. FSA update
4. Portable risks
5. Newsletter information

===============
1. Actuaries and financial modelling

What do actuaries do? A question that has often been asked, and
sometimes even been answered. We now have a new answer from
Australia, where it appears that there is growing actuarial
involvement in project finance. A paper was recently presented to
the Institute of Actuaries of Australia Financial Services Forum on
“Financial Modelling of Project Financing Transactions”. It’s well
worth a read if you are involved in any sort of financial
modelling, whether or not you are an actuary and whether or not you
are modelling project financing.

The paper includes an analysis of the risks of models and some
ideas for managing the risks, gives a clear introduction to Monte
Carlo simulation and why you might use it, and has a section on why
actuaries might be good people for modelling project financing.

It also includes some statistics on the error rates the authors
have found in spreadsheet models of project financing. The authors
say “Research has shown that error rates in project financing
models can be as high as 10%. Section 5 of this paper provides
some statistics on error rates collected by Mercer Finance & Risk
Consulting. Out of the thirty highest value projects reviewed
during the 2004 financial year, nine (that is, 30%) exceeded the
10% threshold; four exceeded the 15% threshold; and one exceeded
the 20% threshold.”

The wording may be misleading here. They are not saying that, for
example, 10% of the models have errors. In fact, all the models
(100%) that they reviewed contained errors. They are saying that in
four of the models they reviewed over 15% of the unique spreadsheet
formulae contained errors, and that one model had errors in over
one in five of the formulae. This model was one of the smaller
ones, too, so it’s no use saying “it’s only a small model, so it’ll
be OK”.

Although the spreadsheets they reviewed were all modelling project
financing, there is absolutely no reason to suppose that the high
error rates are peculiar to the project finance field. Financial
models of any sort are complex, and it’s hard (but not impossible)
to write a spreadsheet that doesn’t contain errors.

So let me say, once again, that it’s important to get the process
right when developing financial models (whether using a spreadsheet
or specialist modelling software). Be clear what it is that you
want the model to do: write a specification that is detailed enough
to test against. Use appropriate techniques when building the
model: something that looks like a really cool way of doing things
may be difficult for other people to understand. Document the
design decisions you make. Use a good change control process to
keep track of what’s going on. Test the implementation against your
specification. Record the tests, so that other people have some
reason to believe you when you say the system has been tested. And,
above all, don’t trust yourself. You are bound to make mistakes in
the coding, and if you don’t look for them you won’t find them.

http://tinyurl.com/67aot

===============
2. Financial web sites

Phishing is big business. A recent survey says that US consumer
losses as a result of phishing scams have reached approximately
$500m (I always long to know how they come up with these
numbers). Apparently 70% of respondents had visited a spoofed
web site and 15% had disclosed sensitive information.

http://www.theregister.co.uk/2004/09/29/phishing_survey/

Obviously phishing is a risk to the consumer but it’s also a risk
to the financial institution that’s being spoofed. This is widely
recognised now, and many web sites warn their users of the
dangers. The trouble is that people don’t read the warnings (I only
read them myself from a professional point of view, because I’m
interested in risk management issues).

Another survey (it appears to be survey season at the moment)
claims that 90% of commercial web sites have security flaws that
make them vulnerable to online hackers and phishing attacks. So
maybe the dangers aren’t recognised quite as widely as they should
be. However, this figure is based on the web sites that a security
consultant was asked to audit, so there may well be an element of
self-selection here.

http://www.finextra.com/fullstory.asp?id=12548

All in all, the user experience of financial web sites is sometimes
distinctly sub optimal. An Australian bank found that customers who
had installed Windows XP Service Pack 2, the update from Microsoft,
wouldn’t be able to use their online services.

http://www.finextra.com/fullstory.asp?id=12435

Often, you can only use the online services if you use
InternetExplorer on a Windows machine. Admittedly the proportion of
people who use different browsers or different operating systems is
small, but the absolute numbers are quite large, and there’s a lot
of ill will involved. This is especially the case when the users
are using another browser because they have impaired sight or
another disability.

Sometimes sites are unusable for other reasons: recently an online
payment site was down because of a denial of service attack.

http://www.finextra.com/fullstory.asp?id=12538

So the risks involved in running a web site providing online
services can be significant. On the other hand, the risks of not
doing so can’t be ignored either. What is a poor bank to do?

===============
3. FSA update

For the first time since I started this newsletter in December
2002, we have gone for a full month without either consultation
papers or feedback being published. The supply of final notices
shows no sign of abating, though. And those FSA folk keep on making
speeches. The range of newsletters is growing: this month we had
the third General Insurance Newsletter
and the first
Life Insurance Newsletter
.

There has been fairly full press coverage of the FSA’s views on
what’s happening in closed funds, but I haven’t seen many comments
on a speech John Tiner made recently, entitled “Ambiguity of
Contracts: Lessons learned from Equitable Life”
. Interestingly
enough, this speech was actually made in Denmark. Go figure.

From a risk management perspective, one of the most important
lessons to learn is that the world doesn’t stay the same. Changes
in social attitudes, which tend to have a fairly long time scale,
affect both legal interpretations and the regulatory
environment. Moreover, courses of action that are reasonable in
some circumstances become perceived as unreasonable in others. All
these changes take place gradually and continuously. It’s difficult
to pinpoint the exact moment at which attitudes and circumstances
make a course of action untenable.

This kind of risk is extremely difficult to manage. It’s hard to
step back and see the long term trends. It’s often hard even with a
moderate degree of hindsight. As so often in risk management, a
creative imagination is a huge advantage.

New consultation and discussion papers out this month:
—————————————————–

None

Feedback published this month:
—————————–

None

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Portable risks

What do you do if you are a consultant from an identity management
firm and your laptop is stolen while you are at a security show? Go
very red indeed?

http://tinyurl.com/4p3ok

We aren’t told whether there was sensitive data on the laptop, and
if so whether it was encrypted or protected in any way.

Yet another survey by yet another security firm has discovered that
PDAs are a big security risk. It comes as no surprise to me that
many people store the names and addresses of corporate customers on
their PDAs with no encryption. “As well as using their PDAs to
store company information, many users store valuable personal
information such as PIN numbers, bank account details, social
security numbers and even lists of passwords, many of which can be
accessed – ironically – without a password.”

This isn’t news. We’ve seen similar surveys in the past, and anyway
it’s obvious that this is what’s happening.

http://www.theregister.co.uk/2004/09/01/pda_sec/

Every so often we see a scare story about such and such an
establishment banning iPods, or Palms, or something else from their
premises on the grounds that they are a security risk, because you
can download data to them. Of course you can. And yes, in that
sense they probably are a (small) security risk. However, if I
wanted to download data I personally would choose a USB flash
drive. Much smaller, no special cables or docks required, and you
can get them with pretty large capacities nowadays (1 gig for 100
pounds plus VAT at Crucial ).

In the good (or bad) old days, corporate PCs would have their
floppy drives disabled, no CD drives, and all other unnecessary
ports blocked. Nowadays, when the keyboard and mouse use USB
instead of PS2, you can’t block all USB ports. A flash drive
doesn’t need any special software to be installed, either.

===============
5. Newsletter information

Newsletter Old site

Newsletter Aug 2004

Post author By Louise Pryor
Post date 26 August 2004

News update 2004-08: August 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Spreadsheets on the way out?
2. Mandelbrot
3. FSA update
4. Summer risks
5. Newsletter information

===============
1. Spreadsheets on the way out?

A recent survey of “business leaders” indicates that many companies
would like to reduce their reliance on spreadsheet based accounting
processes. 80% of the respondents said that spreadsheets should not
be the foundation for critical accounting processes.

“When asked what major risks are associated with spreadsheet-based
processes, 63 percent pointed to the fact that they are prone to
errors, 58 percent cited the lack of audit trail and 56 percent
said they lacked internal controls. Only 5 percent claimed that no
risks existed.” I’d say that 5% of the respondents are living on
another planet. However, the implication that the more automated
processes that may replace spreadsheets are risk free is
unwarranted. Moreover, it is possible (though difficult) to
construct spreadsheet based systems that have effective controls.

We also have to wonder how the view that spreadsheets should play a
smaller role in accounting processes will actually translate into
action. The road to hell is paved with good intentions, and
spreadsheets are notoriously addictive. I am willing to bet that
even as new automated systems are introduced to replace existing
spreadsheets, further spreadsheets will emerge to supplement the
new system. And that’s supposing that the new systems are actually
introduced.

http://www.revenuerecognition.com/article/1,5738,282||S,00.html

===============
2. Mandelbrot

You’re probably familiar with the name Mandelbrot in connection
with fractals, especially the Mandelbrot set. Over his career he
has shown that fractals can be found in many places in nature,
leading to entirely new fields of exploration in chaos theory.

He’s been looking at the variation of financial prices since 1960:
see http://www.math.yale.edu/mandelbrot/webbooks/wb_fin.htm. In his
latest book he uses fractal geometry to propose a “new, more
accurate way of describing market behavior.” The description goes
on to say that “With his fractal tools, Mandelbrot has gotten to
the bottom of how financial markets really work, and in doing so,
he describes the volatile, dangerous (and strangely beautiful)
properties that financial experts have never before accounted
for. The result is no less than the foundation for a new science of
finance.” Don’t you just love the understated elegance of book
blurbs? And the respect they show to other practitioners?

He’s also called for some of the money set aside for “independent
research” in the April 2003 settlement to be spent on fundamental
research into financial markets. He says “Let the Wall Street
settlement help to fund an international commission for systematic,
rigorous, and replicable research into market dynamics.”

The (Mis)behavior of Markets: A Fractal View of Risk, Ruin and
Reward by Richard L. Hudson, Benoit B. Mandelbrot

http://www.wired.com/wired/archive/12.08/view.html?pg=2

===============
3. FSA update

Although the rate of publication of consultation papers and policy
statements has slackened off, there are plenty of other
publications. Sometimes research is published as an Occasional
Paper, sometimes as part of a consultation paper, but this month
saw a Dear CEO letter outlining the results of a review of credit
risk management in life insurance firms. This builds on the paper
issued in October 2003: “Review of UK insurers’ risk management
practices”. The Dear CEO letter outlines a number of areas in which
weaknesses were found, although it does say that the project
findings generally indicated that credit risk is well managed in
the life insurance sector. Some of the weaknesses are very specific
to credit risk, though others can be generalised to other areas of
risk.

http://www.fsa.gov.uk/pubs/ceo/credit_risk_9aug04.pdf
http://www.fsa.gov.uk/pubs/other/review_ins_risk.pdf

New consultation and discussion papers out this month:
—————————————————–

CP04/13 Quarterly consultation (No. 1)
CP04/14 Treating with-profits policyholders fairly – Further
consultation, feedback on CP207 and near-final text

Feedback published this month:
—————————–

None – but see CP04/14.

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Summer risks

This newsletter is shorter than usual because it’s a reasonably
effective way to mitigate the risk of not having enough time to
write it. On this occasion I can’t quote Pascal, who wrote “I have
only made this letter rather long because I have not had time to
make it shorter.” Or maybe Pascal was quoting someone else – see
http://berbenar.notlong.com .

===============
5. Newsletter information

Newsletter Old site

Newsletter Jul 2004

Post author By Louise Pryor
Post date 28 July 2004

News update 2004-07: July 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Upgrade has knock-on effects
2. Fraud prevention
3. Gene databases corrupted by Excel
4. FSA update
5. Other sources of information
6. Newsletter information

===============
1. Upgrade has knock-on effects

Citibank UK have been having problems with their current
accounts. Apparently there was a large systems upgrade which
caused a number of problems, resulting in an increase in the volume
of calls to their call centre, recently transferred to India from
Spain. The centre couldn’t handle all the calls without delays,
resulting in further complaints from customers.

Yet again we see one problem triggered by another. The call centre
probably would have been fine without the high volume of
calls. From the sound of it, the problems causing the calls were
pretty significant: direct debits changing their value to
&poound;999,999.99 (that would certainly send me into overdraft), debits
happening twice, and ten year old addresses being used.

I know how difficult it is to test every last detail, but you would
really think that they would have ironed out the major problems
before going ahead with the upgrade.

The situation probably wasn’t helped by the letter of apology that
was sent out to some of the customers who complained. It said that
it was only a very small group of customers who were significantly
affected. The implication is that the problem is less serious
because few people were affected. If I was one of those people,
this would not go down particularly well. The problems may not be
serious for the bank, but they are extremely serious for the
individual customers concerned.

http://dotkised.notlong.com
http://rewhaite.notlong.com

===============
2. Fraud prevention

Another bank, who shall remain nameless, appears to be doing little
to prevent fraud. About six weeks ago I received a call asking me
if I had recently used my Switch card at a petrol station in the
Isle of Dogs. I hadn’t, and answered accordingly. I was told that
there was a fraud operating and that I should go to my branch to
report it. I did that and they destroyed the Switch card and said
that they would issue a new one which duly arrived. There had been
about three fraudulent uses of the card, to a total value of about
£60. Apparently the fraudster had somehow got hold of my card
details; I couldn’t work out how, as it’s not a card very much. It
was annoying, but not serious, and I assumed that once the bank
credited my account for the fraudulent transactions the episode
would be over.

The other day I received my bank statement. It had the expected
credit, but also included three more purchase at the same petrol
station. These were all dated well after the original report of the
fraud. I haven’t actually used the new card that I was sent yet. So
I trotted off to the branch again to report the fraud. I was told
that the fraudsters were probably still using the old card number.

This appears to mean that stopping the old card made no difference
whatsoever. Surely a bank can spot a transaction that uses an
invalid card number? The only other explanation is that the new
card details were used, in which case the only possible source was
the bank itself. Either way, the bank isn’t doing much to prevent
fraud. The amounts involved aren’t large, but it doesn’t really
give me much confidence in the bank’s ability to get other things
right.

It’s a pity I can’t just tell the bank that I will never use the
card to buy petrol in the Isle of Dogs (given that I live 400 miles
away, and don’t have a car, this shouldn’t be a difficult promise
to keep).

===============
3. Gene databases corrupted by Excel

Apparently some long standing problems with Excel are wreaking
havoc in the world of bioinformatics. Well, causing a few problems,
anyway.

As many Excel users know to their cost, it tries to be very clever
when importing data by recognising dates and converting them to
date values. So if the string “1 Dec 2004” is encountered, it is
converted into a date serial number (in this case 38322) and
formatted as a date (for example, as 01-Dec-04, or 1/12/2004). This
conversion is irreversible: the original string is completely
replaced by the new date.

There are about 30 standard gene names that Excel interprets as
dates. If data sets that include these names are loaded into Excel,
the names are garbled and the data sets corrupted.

Excel also automatically converts strings that it believes are
floating point numbers. For example, the string “2310009E13” is
converted to the number 2.31E+13. Again, the conversion is
irreversible. There are approximately 2,000 commonly used
identifiers that fit this pattern.

It is possible, although not easy, to avoid these automatic
conversions, but you have to remain vigilant. You can’t turn them
off, but have to take special steps each time you import data. Some
solutions are described by Microsoft in
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q214233.
There is further discussion in the paper that describes the
problems, which is available at
http://www.biomedcentral.com/1471-2105/5/80#B5

The problems are not, of course, limited to the world of
bioinformatics.

===============
4. FSA update

For many readers of this newsletter, the biggy this month was the
release of PS04/12, which gives feedback on CP190, CP195 and
CP202. I’m sure you’ve all read it!

There’s a new occasional paper out this month: What determines how
much capital is held by UK banks and building societies? It’s
available at http://www.fsa.gov.uk/pubs/occpapers/op22.pdf. The
title pretty much describes what it’s about. Many banks and
building societies in the UK hold levels of capital significantly
in excess of the minimum regulatory requirements, and the paper
discusses why this might be so. Although as a generalisation
insurance companies are not currently as well capitalised as banks,
it seems to me that much of the discussion might apply to them too.

New consultation and discussion papers out this month:
—————————————————–

CP04/12 FSMA 2 Year Review: Financial Ombudsman Service July 2004

Feedback published this month:
—————————–

PS04/16 Integrated Prudential sourcebook for insurers
PS04/17 The Market Risk Module – Feedback on CP206 and ‘made’ text
PS04/18 Changes to the FSA’s Complaints Scheme – Feedback on CP04/6
and made text
PS04/20 Financial groups – Feedback on CP204 and made text

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Other sources of information

The availability of information is one of the really good things
about the internet. However, if you don’t know it’s there you can’t
use it. Here are a number of web sites, mailing lists and
newsletters that I use. Some newsletters are chatty, like this,
others include only headlines that point to fuller
discussions. Whether you find these interesting will probably
depend on how much your interests overlap with mine.

If you know of any other sites that I might be interested in, do
let me know.

European Spreadsheet Risks Interest Group. Includes an archive of
spreadsheet horror stories.
web site http://www.eusprig.org
mailing list http://groups.yahoo.com/group/eusprig
or send email to eusprig-subscribe@yahoogroups.com

B2-ORM is an international email user group focused on the sharing
of information on the implementation of Basel II compliant
Operational Risk Management solutions in the Financial Services
industry.
mailing list http://finance.groups.yahoo.com/group/b2-orm/
or send email to B2-ORM-subscribe@yahoogroups.com

Risks digest. Forum On Risks To The Public In Computers And Related
Systems. Long running newsletter (since 1985).
web site http://catless.ncl.ac.uk/Risks
newsletter http://www.csl.sri.com/users/risko/risksinfo.html

The Register. “Biting the hand that feeds IT”. General IT
news. Daily and weekly newsletters available.
web site http://www.theregister.co.uk/

The Opera operational risk open discussion group. Allows users to
debate and discuss any aspects of operational risk with other
professionals.
mailing list http://finance.groups.yahoo.com/group/operationalrisk/
or send email to
operationalrisk-subscribe@yahoogroups.com

News on legal and IT issues from Masons. Weekly email update
available.
http://www.out-law.com/php/news.php?area=news

Systems Modelling Ltd. Patrick O’Beirne’s site, mainly covering
spreadsheets and risk management
web site http://www.sysmod.com/
newsletter http://finance.groups.yahoo.com/group/EuroIS/
or send email to EuroIS-subscribe@yahoogroups.com

Banking risk. Weekly email update available.
http://www.bankingrisk.com/

Financial technology issues. Daily and weekly email updates
available.
http://www.finextra.com/

Erisk risk briefings. Monthly email update available.
http://www.erisk.com/

Langalist. Twice weekly newsletter covering hardware and software
for PC users.
web site http://www.langa.com/newsletter.htm

ZDnet. “Where Technology Means Business”. A wide range of
newsletters available.
web site http://www.zdnet.co.uk/

===============
6. Newsletter information

Newsletter Old site

Newsletter Jun 2004

Post author By Louise Pryor
Post date 29 June 2004

News update 2004-06: June 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Bank computer system fails (again)
2. Costs of compliance
3. FSA update
4. Bits and pieces
5. Newsletter information

===============
1. Bank computer system fails (again)

We hear about major computer failures in banks once or twice a
year. The latest one was in Canada, where the victim (or culprit)
was the Royal Bank of Canada. As the Globe and Mail put it “the
accounts of 10 million customers were rendered inaccessible in a
nanosecond by a monster computer glitch.”

The bank’s technology chief explained the whole thing. “It was a
program change. The guy made some mistakes. I mean, he made some
mistakes with respect to how he went through the testing process
with respect to it. It appears, as we’re going through this, that
it didn’t get tested as fully as it should have been and, as a
result, it created the problem. So, essentially, what you have is a
piece of code that ends up having a character in a field that it
shouldn’t be in. That change ends up setting off a sequence of
events.”

As I understand it, a change was made to one of the programs
comprising the system. There was a bug in the change, which was not
caught by testing. The bug showed up during the nightly batch
runs. After fixes, they then tried to run two days worth of
transactions in the same batch run. This didn’t work because the
system couldn’t cope with two different dates in the same run. It
took days to catch up; and meanwhile customers were getting more
and more upset.

I’ve said it before, and I’ll say it again, you can’t rely on only
one thing going wrong at a time. The problem with running a batch
job containing two dates was lying in wait: only when something
else had already gone wrong would it leap into action. As a
correspondent recently said in another context, relying on Murphy’s
Inverse Law (that everything that can go right WILL go right) is a
common error of judgement.

As is often the case, an operational loss was compounded by
reputational issues. It apparently took several days for the bank
to admit that there was a problem, and members of senior management
set off on pre-arranged holidays and business trips even after the
scale of the crisis had become apparent. Now it may well be that
there was nothing useful they could have done, but it just doesn’t
look good. This point is also becoming a regular theme in these
newsletters.

Finally, and this really wasn’t the bank’s fault, there was a major
phishing scam targeting their customers just as the whole
imbroglio was finally sorted out. Did I mention that it’s never
only one thing that goes wrong at a time?

Globe and Mail coverage is at the following URLs:
http://tinyurl.com/227ln
http://tinyurl.com/2bbzd
http://tinyurl.com/39qls

There’s an interesting write up at
http://www.bankingrisk.com/analysis/archives/2004/06/18/testing_times

===============
2. Costs of compliance

I work mainly in the insurance industry, and am aware of just how
much effort is going into complying with the new regulatory regime.
Many firms are making major investments in new models or bringing
old ones up to scratch. Others (or the same ones) are looking at
how they use their models, and whether they can really trust the
results. Are the systems and controls for maintaining and updating
the model adequate? What about data and assumptions? What do they
do about specification and testing?

There is a view that it’s about time too, and that the benefits to
management of having more accurate and reliable models will
outweigh the costs (and remember, there are opportunity costs as
well as the money that has to be spent). Others think that it’s all
pointless box ticking. The truth, as usual, probably lies somewhere
between the two (closer to the first, I believe), but those who
think it’s pointless will probably see fewer of the potential
benefits.

Not surprisingly insurance firms aren’t the only ones affected.
Apparently 40% of Barclays’ IT investment spend goes on regulatory
compliance programmes for Basel II and Sarbanes-Oxley. A recent
survey indicated that two-thirds of banks with assets over US$100
billion project costs of more than 50 million euros for Basel
II. The same survey claims that most banks see significant benefits
from Basel II and that they are planning to adopt the advanced
regulatory approaches for both credit and operational risk.

Sarbanes-Oxley is spreading its net widely, as it applies to many
non-US companies by virtue of relationships they have to US
corporations. Its main effect is in the area of systems and
controls and directorial responsibility, so adding to the weight of
pressure in that direction. At least one head has already rolled,
or is about to roll, as a result of Sarbanes-Oxley. A large US
corporation’s internal auditors were unhappy with the controls in
the IT department, which they viewed as not meeting the
requirements of Section 404, which is starting to take effect this
year. The CIO is now paying the price.

The whole question of systems and controls is a hot issue, both in
IT departments and elsewhere. After all, IT systems are developed
in many parts of the organisation, not only in IT departments.
Which brings us back to the beginning; what are actuarial models,
if not IT systems? And just think of all those spreadsheets…

The IT Governance Institute (ITGI, http://www.itgi.org/) has a
useful document entitled “IT Control Objectives for
Sarbanes-Oxley”. Although primarily intended for IT specialists,
others may well find it useful.

http://www.louisepryor.com/papers/confident.pdf
http://www.computerweekly.com/articles/article.asp?liArticleID=131260
http://revveday.notlong.com
http://www.it-director.com/article.php?articleid=11982

===============
3. FSA update

The FSA and HM Treasury have issued a joint consultation document
on the UK Implementation of the EU Market Abuse Directive
(Directive 2003/6/EC). This is available at
http://www.fsa.gov.uk/pubs/other/eu_mad.pdf.

The supply of consultation papers and feedback is definitely drying
up; this is only to be expected as the FSA is no longer a new kid
on the block. One would definitely hope that the major regulatory
changes had been mapped out by now. It is interesting to note that
the two largest categories of publication this month are Final
notices and Other FSA publications. Again, it’s not unexpected to
see more disciplinary activity as the system matures. And who gets
a filing system absolutely right at the beginning?

New consultation and discussion papers out this month:
—————————————————–

CP04/10 Child Trust Funds
CP04/11 A basic advice regime for the sale of stakeholder products

Feedback published this month:
—————————–

None

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Bits and pieces

You may have noticed that I’ve used two different URL shortening
services in this newsletter: notlong and tinyurl. I really have no
particular view on which is better, but one of them was unavailable
while I was writing one of the articles, so I used the other. I
only hope they are both working when people try to click through on
the links.

Why use them at all, I hear you ask. Well, when a URL is too long
to fit on one line there are two possibilities. Either your mail
reader wraps it round, which looks messy, or it automatically
inserts a line break, which means that it won’t work as a link. And
some URLs are very long indeed. They have long, long code numbers
embedded in them, which often carry useful information (such as the
date of the article they refer to), on top of deep directory
trees. I always include the URL as plain text because this is a
plain text newsletter.

This is a plain text newsletter for a number of reasons. Everybody
can read plain text. There are still some people out there who do
not have html mail readers, for one reason or another. Because most
spam uses html, some people simply block all html mail. Many more
people read their email as plain text, even if it is sent as html
(I do this myself). Again, this is an anti-spam measure; spammers
often include spy-ware in the html mark-up of their mail, so that
they can tell who has read it and keep them on the list. Finally,
I’m just a plain text sort of person, concentrating on content
rather than form.

Talking of spam, we all know how much of a problem it is, but do
you know what problems anti-spam and other security measures can
create? Some ISPs do hidden spam blocking; they just dump messages
that they think are spam, without telling you about it. So you
don’t even know about the false positives. There have been a couple
of occasions recently when a client tried to send me a spreadsheet
for review, but the firewall at his end blocked the email without
telling either him or me. It’s this silent operation which is
dangerous.

===============
5. Newsletter information

Newsletter Old site

Newsletter May 2004

Post author By Louise Pryor
Post date 28 May 2004

News update 2004-05: May 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Models and risk
2. Phishing and security
3. FSA update
4. Weather perils
5. Newsletter information

===============
1. Models and risk

The cause of the collapse of Terminal 2E at Charles de Gaulle
airport has not yet been determined, and there is a distinct lack
of instant blame to be found in the press coverage. There are two
main potential sources of problems: either there was something
wrong with the design, or mistakes were made during construction.
One pundit apparently said that since the design had been computer
assisted, the fault was more likely to be in the construction. I
must say I found this comment to be a bit of a non sequitur. It
appears to assume that the use of a computer model in the design
means that the design was fault free, thus showing much more
confidence in computer models than is reasonable.

I am willing to believe that the computer aided design packages
that architects use have few bugs in them. In other words, the
calculations performed by CAD packages are likely to be correct
(but it’s difficult to believe that they are totally bug
free).

One of the major benefits of using models, whether for designing
airport terminals or for financial management, is that they are
simpler than the real world, making analysis much easier. The trick
is to omit the unnecessary detail, while retaining the important
characteristics. Sometimes that’s easier said than done: look at
what happened with the Millennium Bridge. It’s usually the leading
edge projects that show up this type of basic problem. Paul Andreu,
the architect of Terminal 2E, said that it was “bold … but
nothing revolutionary”, thus implying that the model probably
wasn’t being pushed beyond its usual envelope of applicability.

Ove Arup, the engineers responsible for the design of the
Millennium Bridge, have a good web site explaining how they went
about fixing the problem. They developed a new model, but had to
calibrate it by having people walk across the bridge and measuring
the effects. Calibrating financial models can be more difficult, as
you can’t operate a company for a few years under different
conditions to see what happens. You have to use the data that is
available, rather than generating the data that you’d like.

http://www.arup.com/MillenniumBridge/

===============
2. Phishing and security

We are all now aware of the phishing scams that regularly appear in
our mailboxes. They usually consist of a slightly ungrammatical
email asking you to go to some web site to verify your personal
details and password. The web site appears to be that of a bank, but
of course isn’t. In response, banks now warn their customers not
to believe emails purporting to come from them that ask for such
information.

But what happens when you get an unsolicited telephone call,
purporting to be from your bank, asking you to answer security
questions before continuing with the conversation? Should you
answer them, or should you suspect some kind of scam? How can you
tell whether the call is really from your bank? You might expect,
on the grounds of consistency, that such calls would never be
genuine. The risk of giving out confidential information over the
telephone would seem to be pretty much the same of giving it out to
a web site.

However, it seems that at least one bank really does behave in this
way. The calls in question turn out to be for marketing purposes,
and it’s not clear why the customer’s identity has to be verified
through security questions. It is my view that the bank in question
is increasing the risk that its customers will be victims of scams
in the future. There is little direct risk to the bank, but the
indirect risks in terms of reputation could be significant.

http://catless.ncl.ac.uk/Risks/23.37.html#subj10

===============
3. FSA update

Don’t be misled by the title of CP04/08 into thinking that it
contains nothing of interest. Section 8, entitled “Proposed
Amendments to the Listing Rules”, proposes that UK listed companies
should be required to demonstrate the quality of their internal
controls to their auditors. The proposal follows on from the issue
of the new Combined Code on Corporate Governance in 2003 (available
at http://www.fsa.gov.uk/pubs/ukla/lr_comcode2003.pdf). The FSA are
proposing that auditors be required to review the ten Combined Code
provisions relating to audit and accountability, all of which are
objectively verifiable. They would also like auditors to be
required to consider whether the directors’ “Comply or Explain”
statement has been made after due and careful enquiry, but have
decided not to push ahead with that proposal for the time
being. The latter option would effectively require auditors to
review the processes by which the directors’ review the internal
controls.

New consultation and discussion papers out this month:
—————————————————–

CP04/7 Lloyd’s: integrated prudential requirements, and changes to
auditing and actuarial requirements – Including feedback on
CP178
CP04/8 Miscellaneous amendments to the Handbook (No.14)
CP04/9 Fees issues arising from the regulation of mortgage
business and general insurance broking – including feedback
on CP04/2

Feedback published this month:
—————————–

PS04/13 Bundled brokerage and soft commission arrangements –
Feedback on CP176
PS04/14 Regulation of long-term care insurance – Feedback on CP200
and made text
PS04/15 Consolidated policy statement on our fee raising
arrangements

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Weather perils

I have now been on three walking holidays running with unseasonably
warm weather: north Italy in May 2003, northwest Scotland in August
2003, and northeast USA in May 2004. At times, in all three places,
it was warm enough to make walking unpleasant. So, if you like the
heat, I advise you to go to the west of Ireland in October, which
is my next planned holiday. Or maybe not.

Another risk of going on holiday is that work builds up while you
are away, and you don’t have time to catch up with everything.
That’s why this newsletter is shorter than usual, and slightly
delayed.

If you are in Edinburgh this weekend, consider going to the
Edinburgh Bach Choir’s concert on Saturday evening. We’ll be
performing Handel’s Dixit Dominus, Vivaldi’s Magnificat, Bach’s
Cantata no 182, and Purcell’s O Sing unto the Lord. See
http://home.clara.net/pryor/ebc/concerts.html#may for more
details.

===============
5. Newsletter information

Newsletter Old site

Newsletter Apr 2004

Post author By Louise Pryor
Post date 29 April 2004

News update 2004-04: April 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Corporate culture and dominance
2. Passwords
3. FSA update
4. Fraud
5. Newsletter information

===============
1. Corporate culture and dominance

Another month, another report on a large corporation drawing
attention to shortcomings in its corporate culture. Last month it
was NAB; this month it’s Shell. The details are different, of
course, which just goes to show how many different things it is
possible to get wrong. In Shell’s case, there was an over-dominant
chief executive as well as a poor culture of compliance. The report
was prepared by Davis Polk & Wardwell for Shell’s Group Audit
Committee. The executive summary and recommendations are now
publicly available from the Shell web site through
http://tinyurl.com/26t6q

It all makes interesting reading. If you treat it as referring to
the reserves of an insurance company it stays interesting, and much
of it remains relevant. There are some obvious changes: substitute
FSA for SEC for example, and don’t take too much notice of the
units involved (boe, or barrels of oil equivalent). But some useful
points emerge.

As far as regulations and guidelines are concerned, everybody
concerned needs to know what they should be complying with and how
they should do it. Also, documentation is vital.

“… not only were the Shell Guidelines non-compliant with the
SEC’s proved reserve definitions in key areas, but even
assuming they had been compliant, they lacked clarity
necessary to facilitate compliance…”

“Several control failures could be attributed to the short
tenure of certain individuals in key functions. … upon
rotation, complete and detailed handover notes should form the
basis for a formal transfer. ”

It’s important that there are clear lines of responsibility, and
that they go right up to the top.

“evidence of diminished responsibility for line reporting of
reserves figures, especially in joint ventures where the SEC
definition of proved reserves was not important to local
interests.”

No details are given of the methodology used to derive the reserve
estimates, but we can assume that some sort of model is used. It
must presumably estimate the amount of oil in the ground, future
economic conditions and costs of extraction. However, “Reserve
reporting and the booking of reserves are viewed as much an art as
a science.” So it may well be that the final figures are based on
model results rather than being directly from the models; we just
can’t tell. In any case, you can usually get pretty much any result
you want out of a model by adjusting the assumptions. This is the
classic GIGO (garbage in, garbage out) syndrome: you should only
believe the results of a model if you have confidence in the inputs
and in the calculations that are performed.

===============
2. Passwords

Would you tell someone your corporate password in exchange for a
bar of chocolate? 122 people out of the 172 recently surveyed at
Liverpool Street station did (that’s 71%). That’s 122 people who
really should have known better (apparently about half of them did
require some persuasion, but not much: the interviewer commented
that it was probably the name of their child or pet).

In fact, if you are going to tell your password to anyone, a market
researcher is probably pretty safe. We aren’t given the details,
but the risk certainly depends on whether the recipient of the
information knows your name and where you work. Also, we don’t know
how many of the people gave false passwords in order to get the
chocolate (we aren’t told what type of chocolate, or how big the
bar was, either).

But you really should keep your password to yourself. The survey
provides anecdotal evidence of how insecure many passwords are. The
best story is probably the following:

“One interviewee said, ‘I work in a financial call centre,
our password changes daily, but I do not have a problem
remembering it as it is written on the board so that every
one can see it.’ ‘What everyone?’ our stunned researcher
asked. ‘Yes, although I think they rub it off before the
cleaners arrive,’ replied the worker.”

It’s clear that many people find it difficult to keep track of all
the passwords they need. If you have passwords for several
different systems, and have to change them all monthly, the number
soon mounts up, without even considering all those pesky
web sites. Some people get round the problem by using the same
password for everything. Others write them down, even on sticky
notes attached to their screens. Many people choose passwords that
are easy to remember, even though they may also be easy to guess.

If you’re wondering how you should choose your passwords, here are
some tips:

– Longer is on the whole safer, but you have to trade off safety
against actually being able to remember it.

– Words that are in the dictionary are bad. People’s names are
bad. Including mixed case, numbers, and punctuation marks is
good.

– You could try interleaving two words. Basing a password on my
name would give lPoRuYiOsRe for example. I don’t find this type
of password very easy to get right when typing it in, and you
certainly shouldn’t base it on anything as obvious as your own
name.

– Try using the initial letters of a phrase. Basing your password
on a famous soliloquy would give tbontbtitq. You shouldn’t choose
anything that obvious, and it’s good to put some of the letters
in upper case and add in some numbers.

– Use a password generator. There are a number available on the
web, or as software for your machine. They usually let you choose
what characters should be included (eg a-z, A-Z, 0-9, punctuation
marks), the length of the password and whether it should be
pronounceable (and hence easier to remember).

– If you have to change your password regularly, use some kind of
system. But don’t make it as obvious as the one cited in the
survey: “I use my wife’s name and add the current month.” At
least put the month in the middle of the name, but even better
come up with something a bit more sophisticated. You shouldn’t
base any type of password on your wife’s name, for a start.

If you do have to write your passwords down, keep them in a safe
place (not in your desk drawer), and don’t make it obvious what
they are. An alternative is to keep them in a special application
on your PC or PDA, such as SplashId (www.splashdata.com, PalmOs
only) and eWallet (http://www.iliumsoft.com/site/ew/ewallet.htm,
PalmOs and PocketPC).

Remember, it’s to your advantage for other people not to know your
password. You don’t want their nefarious deeds blamed on you.

===============
3. FSA update

Earlier this month the FSA released a report entitled “Management
of credit risks within a trading environment – Review of market
practices 2003.” Don’t be put off this by its title. Even if credit
risks in a trading environment are not your cup of tea it contains
some useful advice. For example, a large number of front
office and back office systems in many cases lead to a complex and
opaque IT infrastructure. The risks are obvious, and are
exacerbated by mergers between firms.

The report also notes that some important risk management functions
may be delegated by a UK-regulated subsidiary to a global function
located in head office. It points out that local management remains
accountable to the FSA for the outsourced functions, and that in
some cases it was not easy to extract the relevant credit limits
and exposures from the global systems.

The report is available at
http://www.fsa.gov.uk/pubs/other/credit_risk.pdf

New consultation and discussion papers out this month:
—————————————————–

CP04/6 Changing the FSA’s Complaints Scheme

Feedback published this month:
—————————–
PS04/5 Financial Services Compensation Scheme management expenses
levy limit and other funding issues – Feedback from CP209
and made text
PS04/8 Regulatory reporting – a new integrated approach: Feedback
on CP198 and made text
PS04/9 Reporting requirements for mortgage, insurance and
investment firms, and audit requirements for insurance
intermediaries – Feedback on CP197 and made text
PS04/10 Amendments to the Training and Competence sourcebook:
Feedback on CP194
PS04/11 Implementation of the Distance Marketing Directive –
Feedback on CP196 and made text
PS04/12 Implementation of the Insurance Mediation Directive for
long-term insurance business – Feedback on CP201 and
‘near-final’ rules

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Fraud

KPMG have analysed 100 of the fraud cases that they have
investigated over the past two years. They conclude that fraud is
mostly committed by men, by senior managers, and in the finance
department. The study has some limitations: it ignores frauds that
have not been discovered, and the report doesn’t say how the 100
cases were chosen. Some of the results aren’t particularly
surprising. Most senior managers in the finance department are men,
and filing clerks just don’t have the same opportunities.

There are some interesting points that emerge. Only one in three
cases had a single perpetrator. Many frauds could have been
prevented by a stronger control environment. Very few of them were
detected by internal reviews; more were exposed by whistle-blowing.
In nearly 20% of cases no sanction was taken against the
fraudster. In nearly 70% of cases there was no publicity about the
fraud. It seems that many firms are more worried about their
reputations than about preventing further fraud. And we do have to
wonder how many frauds never come to light.

http://www.kpmg.co.uk/news/detail.cfm?pr=1941

===============
5. Newsletter information

Newsletter Old site

Newsletter Mar 2004

Post author By Louise Pryor
Post date 24 March 2004

News update 2004-03: March 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. What happened next
2. Believing your results
3. FSA update
4. Fit for purpose
5. Newsletter information

===============
1. What happened next

Back in January we heard that rogue traders had caused a loss of
A$360m at National Bank of Australia (NAB). At the time, it wasn’t
clear exactly what had gone wrong (see my January newsletter at
http://www.louisepryor.com/showNews.do?issue=040128). Much more is
known now that PWC have issued a report on the whole episode.

One of the contributory factors was a weakness in NAB’s
controls. The bank closed out its book for the previous day at
about 8am, but the process of checking transactions did not begin
until 9am. The traders could reverse the false transactions during
this one-hour period.

However, a more serious failing was the culture of “arrogance” at
the bank. Bad news was kept from the board and senior management,
while warnings from competitors and the regulator about unusual
transactions had met with an “aggressive” response from NAB. The
manager of the four rogue traders knew they had breached their
limits but failed to take action. The PWC report says that
irregularities started in 2001.

The four traders concerned have been dismissed, as has their
immediate manager (who was said to be “asleep at the wheel”). Three
more senior managers have also left the bank, including the head of
risk. They weren’t directly involved, “but it happened on their
watch”.

As NAB’s new CEO said, someone in management should have noticed
when a business unit budgeted to earn a profit of $37 million a
year claimed to have made $42 million in a day. If something seems
too good to be true, it probably is.

http://www.theage.com.au/articles/2004/03/12/1078594562304.html
http://www.smh.com.au/articles/2004/03/12/1078594564982.html

===============
2. Believing your results

Complex actuarial models are increasingly prevalent in both life
and general insurance companies. However, it is not enough simply
to have these models and use their results: you must also have
confidence in the results, and be able to justify your
confidence. The FSA’s emphasis on systems and controls and the
effects of Sarbanes-Oxley are making themselves felt.

So, do you believe the results of your models? And if so, why?
Unless you are trusting in blind faith, you should be relying on
the following:

– The model specifications are explicit and have been approved by
the relevant people. If you don’t know what your model is meant
to be doing, you can’t tell if it’s right.

– The model implementation has been thoroughly reviewed and tested
against the specification. Testing is bound to uncover errors,
which with any luck can be fixed, so you must also have a system
of change tracking and version control, so you can tell which
version of the model you are using.

– Garbage in, garbage out is a truism but none the less valid for
that. You should take as much care over the data and assumptions
that feed in to the model as you should over the model itself.
Again, some sort of version control is often necessary.

– Finally, you need to be able to trace any results back to the
actual version of the model, data and assumptions that were used
to produce them. The process of actually running the model must
have a good audit trail.

You should bear these issues in mind whatever the size and
complexity of the model concerned, though obviously the
sophistication of the processes you use will vary with the
significance of the results. And by model, I mean anything from a
single sheet spreadsheet through to a major piece of software.

If you’d like more information on this topic please let me know.

===============
3. FSA update

A few more CPs this month, but those FSA folk have been speaking a
lot! See http://www.fsa.gov.uk/pubs/speeches/index-2004.html for
some of the texts. The publication of the Penrose report and
realistic reporting for life insurance have been in the news a lot
recently, and not surprisingly a number of the speeches refer to
these issues.

New consultation and discussion papers out this month:
—————————————————–

CP04/3 Reforming Polarisation: A menu for being open with consumers
– Including feedback on CP166
CP04/4 Mortgage firms and Insurance intermediaries: Funding of the
Ombudsman and Compensation schemes
CP04/5 Miscellaneous amendments to the Handbook (No. 13)

Feedback published this month:
—————————–

PS04/4 The FSA’s approach to implementing the Freedom of
Information Act 2000 – Feedback to DP23 and our final
publication scheme
PS04/6 Conflicts of interest in investment research – Feedback on
CP205 and made Handbook text
PS04/7 The CIS sourcebook – A new approach – Feedback on CP185 and
made text

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Fit for purpose

Sometimes you’d think that special purpose software would be more
suitable than off the shelf. And sometimes it seems that good old
fashioned non electronic technology would be just the
job. Apparently the hotel at One Aldwych in London has a fancy
computer controlled toilet system. The system failed recently, and
whenever any of the guests wanted to use any bathroom facilities
(toilet or shower) they had to be escorted to the corporate
headquarters in the building next door. The failure lasted for a
couple of days. The control system was based on Windows.

http://catless.ncl.ac.uk/Risks/23.20.html#subj2.1

And sometimes the problem isn’t the technology, it’s the
people. There has recently been another explosion in the volume of
spam sent out by computer worms. Many worms rely on the user
opening a mail attachment to make them work. Surprisingly, even
after all the publicity, it appears that many people still click on
attachments that they aren’t expecting from people that they don’t
know. The newest worms try to get round anti-virus software by
zipping the attachment up and password protecting it. The user then
has to unzip it using the password supplied in the accompanying
mail message. Apparently there are enough people around who will go
to all that trouble to do the worm’s work for it.

I have often heard software developers say something along the
lines of “Surely no user would ever … ” do something incredibly
stupid. Good software designers and developers have learnt never to
underestimate the potential carelessness or lack of knowledge of
users. It’s Murphy’s law writ large.

Just to hammer the point home, this applies to spreadsheets too; if
it is possible for a user to misunderstand the purpose of a
parameter or to run a macro under the wrong circumstances, it is
bound to happen sooner or later. And yes, it will probably be
sooner.

===============
5. Newsletter information

Newsletter Old site

Newsletter Feb 2004

Post author By Louise Pryor
Post date 25 February 2004

News update 2004-02: February 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. $1.6 billion loss
2. Events
3. Bugs
5. FSA update
6. Pirates ahoy!
7. Newsletter information

===============
1. $1.6 billion loss

In May 1995 Carolyn Whittaker of Alabama took out a life insurance
policy for $25,000 with Southwestern Life through insurance agent
James Perry. The premiums were $50 a month. The policy lapsed in
October 1996, but Perry continued to collect the premiums until
December 2001, when he suggested that she let the policy lapse.
Whittaker was suspicious and contacted Southwestern, who told her
that her policy had expired in 1996. Whittaker sued.

She sued Southwestern as well as Perry, claiming that Southwestern
should have known that Perry was dodgy (I paraphrase slightly; he
had a prior verdict against him of $5 million for the same
conduct). She was awarded $10 million in compensatory damages and
$800 million in punitive damages from each party, making a total of
over $1.6 billion. Note that her actual loss was presumably between
$3100 (the premiums she was defrauded of) and $25,000 (the value of
the policy).

Southwestern, which is now owned by Swiss Re, plans to appeal.
Apparently under Alabama law punitive damages are limited to three
times compensatory damages, which would bring the total loss down
to $40 million each for Southwestern and Perry.

However, even a $40 million operational loss falls into the high
impact bucket. And however much is eventually awarded, the legal
costs are hardly likely to be insignificant. How would you have
assessed the risk of not vetting your intermediaries properly?

http://www.businessinsurance.com/cgi-bin/news.pl?newsId=3454

===============
2. Events

The actuarial profession is holding a seminar on Financial Risk on
23rd March. Details are available at
http://www.actuaries.org.uk/files/pdf/cpd/finrisk2004.pdf. It looks
as if it will be an interesting day, with a good line up of
speakers, and certainly not over actuarial in nature.

On 22nd March a paper on “Quantifying operational risk for general
insurance companies” will be presented at a Sessional Meeting of
the Institute of Actuaries
(http://www.actuaries.org.uk/files/pdf/sessional/sm20040322_notice.pdf).
I can whole-heartedly recommend this excellent paper, as I am one
of the co-authors. Much of the paper is applicable to operational
risk in general, rather than being specific to any sort of
insurance company. It will be available at
http://www.actuaries.org.uk/files/pdf/sessional/sm20040322.pdf from
early March.

===============
3. Bugs

Remember those power outages in the US last August? Guess what! A
software bug helped to cause them. It turned out there was a
previously unknown bug in an energy management system supplied by
General Electric. “It had never evidenced itself until that day,”
said spokesman Ralph DiNicola. “This fault was so deeply embedded,
it took them weeks of poring through millions of lines of code and
data to find it.”

The bug was triggered by a unique combination of events and
alarm conditions on the equipment it was monitoring, DiNicola
said. When a backup server kicked-in, it also failed, unable to
handle the accumulation of unprocessed events that had queued up
since the main system’s failure. Because the system failed
silently, the operators were unaware for over an hour that they
were looking at outdated information on the status of their portion
of the power grid.

You may remember that in March 2003 there were a series of system
failures at Danske Bank, some of which were caused by a hitherto
unknown bug in the DB2 database software – see my April 2003
newsletter at http://www.louisepryor.com/showNews.do?issue=030422;
the relevant item is entitled “Troubles come in threes (or more)”.

Both incidents involved bugs that had not been discovered in the
presumably thorough testing performed by the vendors, or in the
years of use in many installations. To me, the lesson here is that
you can never assume that there are no bugs. Just think of all the
bugs in Excel (see the last couple of newsletters for details). It
would be a big mistake to believe that any software that you write,
including spreadsheets or models developed with specialist
packages, can buck the trend. Performing more testing is never
pointless (although it may not be cost-effective).

http://www.securityfocus.com/news/8016

===============
4. FSA update

This is the first time since this newsletter started that there
have been no new consultation papers between issues. Admittedly,
that’s only just over a year, but it really does seem as if the
flow is drying up. This probably shouldn’t surprise us, as there
have been so many issued on so many topics that they must have
covered a large part of the possible ground. It looks as if the
start up phase is finally coming to an end.

New consultation and discussion papers out this month:
—————————————————–

None

Feedback published this month:
—————————–

CP188 PS04/3: Clarification and revision of Financial Promotion
Rules and Guidance – Feedback on CP188

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Pirates ahoy!

Are you using unlicenced software? Maybe an evaluation copy that
you have never bothered to register? Or using more copies than you
have paid for? If so, you could be in big trouble if FAST, the
Federation Against Software Theft have their way
(http://www.fast.org.uk/). They have recently announced that they
will use criminal proceedings to crack down on organisations
misusing software. Up to now they have tended to use civil
proceedings. Geoff Webster, CEO, said “The message to company
directors is clear – check your software licenses! Until then you
cannot be 100% certain that you’re not acting illegally and on the
way to receiving a criminal record. Software publishers who are
members of The Federation will not tolerate anyone making illegal
use of software.”

Meanwhile, the Business Software Alliance (http://www.bsa.org/uk/)
say that organisations from within the IT sector are the biggest
offenders. This is not surprising when you realise that they
probably use more software than organisations in other industries,
but on the other hand you’d think that they’d be more conscious of
the issue. After all, they’re the ones that lose out.

===============
6. Newsletter information

——————————————————————–
The next concert of the Edinburgh Bach Choir will be in Greyfriars
Kirk, Edinburgh, on Saturday 20th March at 7:30 pm. The programme
includes: Vittoria Mass O Quam Gloriosum est Regnum – Tavener Two
Hymns to the Mother of God – Britten Hymn to St Cecilia – Bruckner
Four Motets – Bach Jesu, Meine Freude. Details at
http://www.bigfoot.com/~edinburghbachchoir. Tickets from the Usher
Hall, Queen’s Hall, Assembly Rooms, or members of the Choir.
——————————————————————–

Newsletter Old site

Newsletter Jan 2004

Post author By Louise Pryor
Post date 28 January 2004

News update 2004-01: January 2004
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. NABbed?
2. Random problems in Excel 2003
3. FSA update
4. Worms and more
5. Newsletter information

===============
1. NABbed?

Those rogue traders have been at it again. The National Bank of
Australia has discovered that four of them had managed to conceal
unauthorised trades over a period of three months. The latest
estimate of the losses is A$360m. The rogue traders had been using
currency options to bet that Australian and NZ dollars would fall
against US dollars. When this failed to happen, they apparently
tried (and for some time succeeded) to slip extra trades past
management in order to cover their losses.

The problem was discovered by a whistle blowing colleague, rather
than by the bank’s systems. The general manager of group corporate
affairs said “The systems were in place to detect trades that had
gone wrong on all the trades that were properly reported. But in
this instance, the trades were unauthorised and not properly
recorded and that’s why they weren’t picked up in the first
instance by the systems.”

Meanwhile, one of the traders concerned has claimed that in fact
the bank had authorised a breach of risk limits.

Some obvious points and a few questions:

– Fraudsters, as well as the merely incompetent, will always report
their trades (or other transactions) correctly. Yeah, right. A
system that only detects problems with properly reported trades
is not going to catch all the problems.

– It’s not necessarily a failure that the problem was detected by a
whistle blower. At least it *was* detected, rather than running
for a longer period.

– Is the reward structure wrong? It’s all very well paying for
profits, but most traders are going to get it wrong sometimes.
The carrot and stick have to be in balance and allow for the
realities of life.

– We don’t actually hear of that many rogue traders. Is this
because they are few and far between, or because they are seldom
caught?

– It should be impossible for there to be any doubt about whether
the trades were in fact authorised.

– The more complex the operation, the higher the operational
risk. Some derivatives (the problem trades were currency options)
are very complex and are correspondingly more difficult to
monitor.

The complexity issue is important. Take Parmalat; admittedly the
owners and management committed the fraud, rather than having it
committed against them, but the principle remains. Where are the
complex areas in your business? Reinsurance, perhaps, or project
financing. Would it be possible for a determined person to pull the
wool over your eyes in those areas?

http://news.bbc.co.uk/1/hi/business/3432605.stm
FT coverage at http://tinyurl.com/23m63
(I like the FT site but their URLs are just ridiculous!)

===============
2. Random problems in Excel 2003

Last month I mentioned that the RAND function doesn’t work in Excel
2003. It’s meant to return a random number between 0 and 1, but in
fact it sometimes returns negative numbers.

Microsoft have now released a hotfix (their term, not mine) that
they claim fixes the problem. They also claim that it fixes several
other problems, a number of which they had not previously
mentioned. Some of these problems cause Excel to quit unexpectedly;
at least it’s obvious to the user when this happens (although you
may lose your work). Others are more subtle.

– Sometimes the cells in a range are not actually updated when the
range is recalculated.

– When you use a VBA macro to calculate your worksheet, a custom
function from a different worksheet may appear to run.

– When you create multilevel subtotals for your data in an Excel
2003 worksheet, the totals may appear staggered incorrectly, and
may exclude grand totals for some functions.

There is no indication these cases that anything is awry. If you
use Excel 2003, your spreadsheets may not show the correct
results.

The hotfix is not downloadable. You have to contact Microsoft and
convince them that you need it. Also, the installation process
includes editing the registry by hand.

We are expecting the first proper patch to Office 2003 in late June
2003. Meanwhile, Excel 2003 has bugs and is still being touted as
having an improved random number generator.

http://support.microsoft.com/default.aspx?scid=kb;en-us;833618

===============
3. FSA update

There’s been a change in the numbering system for consultation
papers and policy statements. The numbers now include the year, and
policy statements get their own numbers (so the feedback to CP193
is PS04/2, rather than PS193).

The FSA have released the Financial Risk Outlook 2004 at
http://www.fsa.gov.uk/pubs/plan/fro_2004/index.html. It provides a
good indication of what the FSA think their priorities will be over
the next year (though obviously things might change during the
year; “Events, dear boy, events” as Macmillan so eloquently put
it). The short to medium term risks that are singled out are:

– Financial decisions are being taken by consumers on the basis of
inadequate understanding

– Corporate sector credit risks for firms have moderated, but UK
household sector credit quality could deteriorate

– The life insurance industry faces continued challenges

– Firms will have to deal with a wave of legal, accounting and
regulatory reforms

– The terrorist threat remains high

– The impact of financial crime may still be under-estimated

In the longer term, the FSA mentions the following issues:

– Consumers are having to take ever greater responsibility for
planning their financial affairs

– Consumers have responded to low interest rates by borrowing more

– Demographic change is likely to add to the pressures on both
public and private finances

– The influence of the European Union on the financial sector is
steadily growing

New consultation and discussion papers out this month:
—————————————————–

CP208 Consultation on funding the Financial Ombudsman Service
2004/2005
CP209 Financial Services Compensation Scheme management expenses
levy limit and other funding issues
CP04/1 Miscellaneous amendments to the Handbook (No. 12)
CP04/2 Fees and fees policy 2004/05

DP25 Development of transaction monitoring systems
DP26 Developing our policy on fraud and dishonesty

Feedback published this month:
—————————–

CP133 Access to criminal records
CP183 Standardising past performance
CP187 Insurance selling and administration & other miscellaneous
amendments
CP191 The prohibition of insurance against financial penalties
imposed by the FSA
CP192 Further consultation on fees for mortgage firms and insurance
intermediaries
CP193 Professional Indemnity Insurance for personal investment
firms

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Worms and more

So there’s another worm on the rampage. I know this because (a) all
the techie newsletters I get have told me (b) my virus software has
found half a dozen copies of it in email and (c) I am getting a lot
of bounce messages. Either this worm or another one or just an
ordinary s p a m m e r is spoofing the from addresses so that
emails appear to come from a domain that I own. So
postmaster@yourdomain.com sends an automatic message to
nonexistent.person@mydomain.com to say the the message that was
sent to whoever@yourdomain.com couldn’t be delivered because there
is no such person. In July last year the proportion of total email
that was spam passed the 50% mark and we are now up to about 58%
(see http://www.brightmail.com/spamstats.html). And this is without
counting all the extra mail generated by bounce messages. I’m not
sure it includes worm related traffic, either.

On a more cheerful note (at least *I* think it’s more cheerful),
version 1.10 of XLSior is now available (http://www.xlsior.com).
Just in case it escaped your notice, XLSior is an Excel add in that
supports best practice in spreadsheet development – and saves you
time. Let me know if you’d like further information or a
demonstration.

===============
5. Newsletter information