Category: Newsletter

The newsletters I sent out roughly monthly from December 2002 to April 2007.

Newsletter Dec 2003

Post author By Louise Pryor
Post date 18 December 2003

News update 2003-12: December 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Human error causes loss
2. Random problem in Excel 2003
3. FSA update
4. Seasonal risks
5. Newsletter information

———————————————————————-
Apologies if you didn’t receive last month’s newsletter; it was
filtered out as spam by some hosts, because it contained a four
letter word (pointless pen without alternative provides salacious
entertainment). The full uncensored version is available at
http://www.louisepryor.com/newsArchive.do.
———————————————————————-

===============
1. Human error causes loss

Last week two travel companies announced their results. First
Choice achieved a record profit of 47.8m pounds on 2.26bn pounds
turnover. MyTravel achieved a loss of 911m pounds on 4.2bn pounds
turnover. Quite a difference. A number of reasons were given by
MyTravel, but the biggest problem appears to have been that they
got their pricing wrong, so they were selling holidays at a
loss. The operating loss (before exceptional items) was 358m, much
of which can presumably be put down as an operational loss (in risk
management terms).

The large operational losses that reach the newspapers are usually
due to causes such as fraud or a rogue trader. It’s not often that
we see such large losses that are, in the words of Peter McHugh,
MyTravel’s chief executive, due to “human error.” He went on to
say:

“The idea was that we should become more efficient, and people
decided – properly I guess – that in order to do that we needed
to upgrade the technology so we could add accounting and other
things.

“Other than being old, the old systems worked fine. The new
systems were supposed to make things better but, when you do a
major upgrade, the systems need to talk to one another and have
interfaces and, as the new system was implemented, they turned
off the old system and lost the interface between them.

“The execution was poor and a lot of management information
that we used to get disappeared. We went through a period in
2002 when we had less information than we used to have.”

In summary, they thought that a new IT system would change their
lives for the better. When it was deployed, they found that it did
not replace the full functionality of the old system. They were
missing information that had previously been available, and that
was used in their pricing models. This made them get their prices
wrong. Ouch.

This story illustrates some well known truisms.

First, change is risky. It really is one of the major sources of
risk. People say this often, and they are right.

Second, no IT system is a silver bullet. One of the seminal essays
in software engineering is one by Fred Brooks, in his classic
collection “The mythical man-month.” The essay is entitled “No
silver bullet – essence and accident in software engineering” and
its summary reads: “There is no single development, in either
technology or management technique, which by itself promises even
one order-of-magnitude improvement within a decade in productivity,
in reliability, in simplicity.” Like many of his essays, the
overall message is not limited to software engineering.

Third, garbage in, garbage out (GIGO). If you haven’t got good
information going in to a model, you are most unlikely to get good
results out however much effort you put in. The most elaborate
algorithms can’t entirely compensate for poor or missing data.

Fourth, an IT system doesn’t exist in isolation. It has to connect
to other systems, and be used by people. These interfaces are often
more complex than is realised.

Finally, we can’t put all the blame on the specific IT system
involved in this mess. It was a new central reservations system,
the same system that First Choice uses.

===============
2. Random problem in Excel 2003

Don’t use Excel 2003 if you use the RAND() or RANDBETWEEN()
functions in your spreadsheets. It appears that a bug crept into
the final release that wasn’t present in the betas. RAND() was,
apparently upgraded so that it produced a better distribution of
pseudo-random numbers between 0 and 1. The trouble is that the
numbers it produces may be more random, but aren’t always in the
correct range. Oops!

There has been some discussion of this on various mailing lists and
newsgroups. Apparently the problem is reasonably easy to replicate
if you have Office 2003 (I don’t, so I can’t confirm this).
Microsoft has not yet acknowledged that there is a problem, let
alone done anything to solve it.

Many people who use Excel don’t use the built in statistical and
random number functions anyway, as in the past they have been
inaccurate in some circumstances (see my November newsletter for
some discussion of this). The more sophisticated users take their
statistical functions from other sources, or write their own. It
seems that they are right to do so.

The original reports of the bug came from Woody’s Watch at
http://www.woodyswatch.com/office2003/

===============
3. FSA update

Admittedly it’s less than a month since my last newsletter, but the
number of new consultation papers and feedback papers is still very
low. On the other hand, there have been a lot of Dear CEO letters,
final notices and speeches.

Among the latter was a speech by David Strachan emphasising that
capital adequacy is not a substitute for effective risk management
(http://www.fsa.gov.uk/pubs/speeches/sp163.html). He was talking
about insurance companies, but the point is valid across the whole
of the financial services sector (and indeed beyond).

New consultation and discussion papers out this month:
—————————————————–

CP207 Treating with-profits policyholders fairly

DP25 Development of transaction monitoring systems
DP26 Developing our policy on fraud and dishonesty

Feedback published this month:
—————————–

CP155 Tier 1 capital for banks: Update to IPRU(BANK)

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Seasonal risks

If you’re planning to go down any chimneys this month, make sure
you’ve done the appropriate contingency planning. Is your model of
the relative circumferences of you and the chimneys using up to
date inputs? Is the assumption of cylindricality appropriate? You
also have to consider what you would do in the event of a transport
failure (Rudolph may get breathalysed and done for being drunk in
harness). Global warming may affect your speed of delivery, as the
sleigh runs slower on sludge than snow. Your processes are
important too. I wouldn’t recommend either wrapping all the
presents before labelling any of them, for example, or labelling
any of them before wrapping. All in all, an operation full of
operational risk.

Even I couldn’t work in a reference to how important it is to test
your spreadsheets and financial models in the rest of the
newsletter, so I’m doing it here. XLSior, the Excel add-in I have
developed that provides automated testing, documentation and more
now has a new pricing structure: see www.xlsior.com for
details. There have been several releases over the last couple of
months to fix bugs and provide better functionality. Another one is
due towards the end of this month; it will include the ability to
use passwords when using XLSior to protect and unprotect multiple
sheets.

Have a very happy Christmas, and all the best in 2004.

===============
5. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
news-subscribe@louisepryor.com. To unsubscribe, email
news-unsubscribe@louisepryor.com. All comments, feedback and other
queries to news-admin@louisepryor.com. Archives at
http://www.louisepryor.com/newsArchive.do.

Newsletter Old site

Newsletter Nov 2003

Post author By Louise Pryor
Post date 25 November 2003

News update 2003-11: November 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. $1.2 billion was an honest mistake
2. Updating software
3. FSA update
4. I just can’t do it…
5. Newsletter information

===============
1. $1.2 billion was an honest mistake

About 2 weeks after releasing their third quarter earnings figures,
Fannie Mae had to restate their unrealised gains by $1.2
billion. This was apparently the result of “honest mistakes made in
a spreadsheet used in the implementation of a new accounting
standard.” Honest mistake or not, $1.2 billion is a lot of money:
more than the $70 million of Provident Financial in March, or the
$24 million lost by TransAlta in June (see the relevant issues of
my newsletter for details). It’s reasonably common to see errors of
half a million or so, but they don’t usually make the headlines.

Apparently Fannie Mae picked up the error as part of the normal
processes of preparing their financial statements for
filing. Presumably they failed to pick it up as part of their
review process before issuing the earnings statement. They claim
that the event demonstrates that their accounting processes and
controls work as they should.

Better late than never, I suppose, but I can’t help thinking that
their processes and controls should have picked up the problem at
an earlier stage. We don’t know whether the mistake was in the model or
the implementation (ie, whether they had understood the accounting
standard correctly but had made a mistake in the implementation of
that understanding, or whether they had misunderstood the
new accounting standard). It’s entirely possible that their
reviewing processes don’t separate the two issues, thus making it
harder to find either kind of mistake.

Let me know if you’d like any of your spreadsheets reviewed, or if
you are not sure that your processes and controls are as effective
as Fannie Mae’s. Fannie Mae apparently continue to be proud of
theirs, so self-confidence isn’t necessarily a foolproof guide.

A statement from Fannie Mae is at
http://www.fanniemae.com/ir/issues/financial/103003.jhtml

===============
2. Updating software

It’s out! The eagerly awaited (by some) Microsoft Office 2003 has
been released, and still in the year of its name, too. And the
first patch, as well. Given that there are still many people out
there still using Office 97, we have to wonder how many will
upgrade. There aren’t huge improvements to the basic Word and Excel
capabilities, and most users don’t even know about half the
functionality that’s there in the older versions anyway.

As I’ve pointed out before, having so many different versions
around can create compatibility problems. It’s not so bad within a
single organisation, where you can hope that IT are on top of the
problem and enforcing uniformity, but one of the claimed advantages
of Office is that it’s a de facto standard. The problem is that
there are just enough new useful features in each version to create
problems when the files are read by older versions (eg, some
animations in PowerPoint don’t work so your presentation looks odd;
VBA, the macro language, changed a lot between 97 and 2000).

Some Excel users will face more serious problems when upgrading to
Office 2003. There were errors in the implementations of some of
the statistical functions in the Analysis ToolPak in Excel 2002 and
earlier, which have been corrected in Excel 2003. This means that a
workbook developed in an earlier version and recalculated in Excel
2003 may produce different results. The differences are described
in Microsoft Knowledge Base Article 828888 at
http://support.microsoft.com/default.aspx?kbid=828888.

The article gives the impression that it is only in rare cases that
the corrections will make any difference. That may be true, but
it’s not very comforting for those people that they do affect. One
of the errors concerns the calculation of the standard normal
cumulative distribution function; the old implementation is
basically wrong out in the tail. Another one comes up in functions
that involve sums of squares: the old version is inaccurate if
there are many significant digits in the data but very little
difference in the values. I don’t find it hard to imagine either of
those situations coming up in practice.

If you think your calculations are affected, you then have to
decide whether to stick with the old version and go for
consistency, or upgrade and cope with the differences.

XLSior would be the ideal tool for checking the results either
before or after an upgrade. (Apologies for the slightly strained
link: see www.xlsior.com for details of automated testing in
Excel).

===============
3. FSA update

The first edition of a new newsletter, Insurance Matters, billed as
being on General Insurance Issues, appeared this month. It’s
available at http://www.fsa.gov.uk/pubs/other/im_newsletter1.pdf.
It should be compulsory reading for anyone involved in regulatory
matters in a general insurance company, or in a firm that has any
of the activities soon to come under the FSA’s umbrella: mortgage
lending, administration and sales advice; the sale and marketing of
long term care insurance; and the sale and administration of general
insurance policies.

The near-final text on prudential risks systems and controls was
issued at the end of October: it’s at
http://www.fsa.gov.uk/pubs/policy/ps_pru/index.html. The text is
the result of the following consultation papers and their feedback:
CP97 (Integrated Prudential Sourcebook), CP128 (Liquidity risk) and
CP142 (Operational risk). This text is expected to come into force
no later than 31 December 2004. It’s not quite complete yet, as it
doesn’t contain the chapter on group risk, which is still being
consulted on in CP204 (Financial groups).

New consultation and discussion papers out this month:
—————————————————–

CP205 Conflicts of interest: Investment research and issues of
securities
CP206 Miscellaneous amendments to the Handbook (No. 11)

DP24 Liquidity risk in the Integrated Prudential sourcebook: a
quantitative framework

Feedback published this month:
—————————–

CP171 Conflicts of Interest: Investment Research and Issues of
Securities
CP186 Mortgage regulation: Draft conduct of business rules and
feedback on CP146

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. I just can’t do it…

Is missing a penalty kick an operational risk? Am I missing out on
a really good analogy for risk management here? There was a
distinct lack of ecstasy on the streets of Edinburgh on Saturday,
when the English at last failed to snatch defeat from the jaws of
victory. The national press, based in London, thought that the
victory was wonderful. The national press, based elsewhere, were a
bit more circumspect – see “You might think it’s all over, but for
many the nightmare has just begun” at
http://www.scotlandonsunday.com/scotland.cfm?id=1292532003

Meanwhile I can’t help pointing out a couple of the weirder
operational risk related stories in the press recently.

“A German man fired for running up a euro 10,000 bill surfing porn
at work claims he was treated unfairly because his employers failed
to take into account his addiction to Net porn before giving him
the boot.” at http://www.theregister.co.uk/content/6/34075.html.

“Camera phones represent a significant liability or security risk
to business” says Jack Gold of the META group as reported at
http://www.out-law.com/php/page.php?page_id=banningcameraphone1067428194.
He encourages employers to ban them, which may be a slightly
paranoid measure to take.

===============
5. Newsletter information

———————————————————————-
If you’re in or near Edinburgh you shouldn’t miss the forthcoming
performance of Mahler’s 8th Symphony, the “Symphony of a Thousand”, at
the Usher Hall on Sunday 30th November. It should be quite an
experience: Edinburgh Bach Choir, Edinburgh Royal Choral Union,
Jubilo, Edinburgh Youth Choir, and Sinfonia are joining forces for the
occasion. There won’t be 1000 of us, but there’ll be quite a few!

Tickets from the Usher Hall, 0131 228 1155
———————————————————————-

Newsletter Old site

Newsletter Oct 2003

Post author By Louise Pryor
Post date 28 October 2003

News update 2003-10: October 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. XLSior
2. Reputations
3. FSA update
4. Storm damage
5. Newsletter information

———————————————————————
There’s a seminar on the risks of ignoring operational risk on
Thursday 27th November. Speakers are from RSA, HBOS, the BBA and
Unilever, and it’s chaired by John Sinclair, an actuary with many
years executive experience as former Group Executive Director, GRE.
As the blurb says: Operational Risk affects us all, not just
bankers. It’s vital to the management of risk and capital in the
businesses of Asset Managers, Life and General Insurers, Pensions Fund
management and Financial Services. For those thinking beyond the
minimum regulatory requirements, this morning’s seminar will provide
insight into current best practice and opportunities for implementing
improvements. Details are at
http://www.actuaries.org.uk/files/pdf/cpd/operationalrisk20031127.pdf
———————————————————————

===============
1. XLSior

I’ve just released XLSior, an Excel add-in that helps you develop
and test your spreadsheets, with automated testing, automated
documentation, easier manual documentation, sheet handling tools,
version control and auditable imports from other workbooks.
Essentially, it’s a tool that makes it much easier to do things the
right way, and should help cut the error rates in spreadsheets
at the same time as improving productivity.

One of the beta testers said “It’s a great system. It makes Excel
into a proper development tool; the automatic testing on save
feature is brilliant.”

Although there are a number of add-ins for spreadsheet auditing, to
my knowledge XLSior is the first to address the spreadsheet
development process. It’s described at http://www.xlsior.com. Let
me know (by replying to this email) if you’d like a demonstration.

===============
2. Reputations

There are often arguments in operational risk circles about whether
reputational risk is part of operational risk or not. Here are
three recent stories.

SunnComm developed a copy protection mechanism for CDs. A graduate
student at Princeton discovered that it could be bypassed by
keeping the shift key depressed when loading the CD. SunnComm
threatened to sue him under the Digital Millennium Copyright Act
(DMCA), and claimed he had damaged the company’s reputation by
publishing his results (the market value had dropped by more than
£10 million). There was a lot of publicity about this, and SunnComm
soon withdrew their threat. Undoubtedly SunnComm made a bad
situation worse through their handling of it. See
http://theregister.co.uk/content/6/33340.html for more details.

Barclays chief executive Matthew Barrett made the headlines when he
told a commons select committee that advised his children not to
borrow on credit cards because it was too expensive. The press
compared his admission to the famous episode in which Gerald Ratner
described the goods sold in his High Street shops as “crap”, and
his company’s value fell by £500 million. However, so far the
fallout for Barclays seems to have been minimal, possibly because
Barrett was only agreeing with what the financial press has been
saying for years. Also, Barclays is by no means the worst offender
when it comes to interest rates on credit cards. More details at
http://money.guardian.co.uk/news_/story/0,1456,1064581,00.html
http://news.bbc.co.uk/1/hi/business/3199822.stm

My household has received several emails from banks recently,
claiming that they want to verify our email address. We are asked
to visit a web page and entering our user-name and password. We have
not rushed to do this for a number of reasons, one of which is that
we don’t have accounts with the banks in question. However, our
main reason is that the emails don’t actually come from the banks;
they are known as phishing emails and are used to dupe users out of
confidential information that can then be used to commit fraud.

The risks to consumers are obvious: what about the risks to the
banks? Well, phishing almost certainly affects consumers’
confidence in internet banking; if they don’t understand what is
happening, they will have a fairly low opinion of a bank that
thinks they are a customer when they are not; and they may even
lose business. Halifax has recently closed its online banking
facility as a direct result of the phishing emails. Other banks and
building societies who have been targeted include NatWest,
Barclays, Lloyds TSB and Nationwide. See
http://news.bbc.co.uk/1/hi/business/3214751.stm.

We can summarise the risk implications of the three stories as
follows. SunnComm suffered an operational loss due to bad handling
of reputational issues. Barclays was subject to the risk, but no
loss was suffered. Banks are subject to an operational risk (due to
external causes) which may or may not be connected with their
reputations.

===============
3. FSA update

The steady stream of consultation papers continues, although we
have been assured by John Tiner that there will be fewer in the
future.

To me, one of the most interesting documents published recently is
not a consultation paper at all. “Review of UK insurers’ risk
management practices” is available at
http://www.fsa.gov.uk/pubs/other/review_ins_risk.pdf. It is based
on a survey of 39 firms, broadly representative of the whole
industry but excluding bancassurers and the Lloyd’s market. The
state of risk management in the insurance industry is evidently a
bit of a curate’s egg: not all bad. Progress is being made, but
there are definite areas of concern, especially that risk
management systems are regarded as a compliance requirement, rather
than core business processes.

Many of the points made are consistent with those in “Building a
framework for operational risk management: the FSA’s observations”
which was published in July and is available at
http://www.fsa.gov.uk/pubs/policy/ps142_2/index.html. They are also
backed up by the admittedly less thorough survey that was conducted
by this year’s GIRO working party on operational risk, whose report
is now available at
http://www.louisepryor.com/show.do?page=articles.

New consultation and discussion papers out this month:
—————————————————–

CP200 Regulation of long-term care insurance
CP201 Implementation of the Insurance Mediation Directive for
long-term insurance business
CP202 Insurance regulatory reporting: changes to the publicly
available annual return for insurers
CP203 Review of the listing regime
CP204 Financial groups

DP23 The FSA’s approach to implementing the Freedom of Information
Act 2000

Feedback published this month:
—————————–

CP173 Amendments to the Interim Prudential sourcebook for
Investment Businesses chapter 5 rules on consolidated
supervision
CP177 Lloyd’s policyholders: Review of compensation arrangements
CP180 Fees for mortgage firms and insurance intermediaries
CP181 The Interim Prudential Sourcebooks for Insurers and Friendly
Societies: Implementation of the Solvency I Directives
(2002/12/EC and 2002/13/EC)
CP182 Proposed changes to the Listing Rules to take account of the
introduction of treasury shares

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Storm damage

Operational risk includes the risk of loss due to external
events. So hold on to your hats as 10 billion tonnes of super-hot
gas speeds in our direction. In the past episodes like this have
disrupted television broadcasts, automated cash machines and
airline tracking systems. They are known to affect mobile phones
and even wireless computer networks. This time, electric utilities,
airline communications and satellite navigation systems have all
been affected to a greater or lesser extent; for example, power
grid operators have seen the effects in their data, but so far have
not had problems.

http://news.bbc.co.uk/1/hi/sci/tech/3210901.stm
http://news.bbc.co.uk/1/hi/sci/tech/3213541.stm

It’s a truism to say that as we become more and more reliant on new
technologies, hitherto harmless events become more significant.

===============
5. Newsletter information

Tickets from the Usher Hall, 0131 228 1155
———————————————————————-

Newsletter Old site

Newsletter Sep 2003

Post author By Louise Pryor
Post date 24 September 2003

News update 2003-09: September 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. How many spreadsheets are out there?
2. Fraud
3. FSA update
4. Wild blackberries
5. Newsletter information

Tickets from the Usher Hall, 0131 228 1155
———————————————————————-

===============
1. How many spreadsheets are out there?

How many spreadsheets do you have in your organisation? You might
be surprised. I have had a recent (unconfirmed) report of a major
bank with 250,000 spreadsheets. Someone at another organisation I
visited recently thinks that they have 15,000.

It’s difficult to know how to interpret these numbers: there may be
many duplicates included if there was a simple count of files with
the .xls extension. Some of the spreadsheets might be little more
than one-off doodles used to add a column of figures. But by any
measure there are a lot of them. What we don’t know is how they
compare in volume to “normal” IT systems.

The usual measure of software quantity is “lines of code”.
Microsoft Office is thought to contain about 25 million lines of
code and a system described as “an extremely large corporate
banking legacy system which had been in use for over 10 years” had
4.7 million lines of code.

It’s difficult to come up with an equivalent measure for
spreadsheets, which can include both spreadsheet formulae and
Visual Basic for Applications code. Moreover, “normal” systems
contain code for user interfaces, whereas spreadsheets rely on
their own formatting facilities. However, for a spreadsheet with no
VBA, a measure based on the number of formulae cells or unique
formulae (ie, a column containing the same formula copied down
contains only one unique formula) might be appropriate.

Typically, there are between 20 and 500 formulae cells per unique
formula. It’s difficult to estimate, and varies a lot, but a
spreadsheet that takes up say 3MB on the disk might contain 20,000
– 50,000 formula cells, or say 200 – 1000 unique formulae. This
might be equivalent to 500 – 3,000 lines of code. (This is based on
the spreadsheets I’ve reviewed recently, some of which have coded
calculations in VBA rather than spreadsheet formulae, taken with my
experience of programming in various languages; your mileage may
vary).

We can assume an average spreadsheet size of say 1 – 3MB. This
might seem like a large average size, but 6 or 7MB isn’t unusual,
and I’ve come across several in the teens. The largest I’ve heard
of was 100MB.

So, at a rough guess (and it is *very* rough), 250,000 spreadsheets
might be equivalent to 100 million lines of code. On the same
basis, 15,000 spreadsheets would be equivalent to 7.5 million lines
of code.

So what we’ve got here is the equivalent of several large corporate
banking systems floating around the organisation. Of course, all
those spreadsheets have been through rigorous quality assurance
procedures, so we needn’t worry, right?

If you’d like more information about good practices for spreadsheet
development and management, do get in touch by replying to this
email.

===============
2. Fraud

When people are asked to give an example of an operational risk, by
far the most common response is “rogue trader”. In fact, there are
comparatively few of them about, especially in the insurance
industry. Other types of fraud are more frequent and, cumulatively,
give rise to larger losses.

At a recent conference Carol Sergeant, of the FSA, berated the
financial services industry for an inadequate response to the
problem. Apparently many firms do not undertake a thorough analysis
of the actual and potential financial crime risks to which they are
exposed, and are not organised to tackle them effectively.

At the same conference Rosalind Wright, the former director of the
Serious Fraud Office, accused business bosses of concealing the
extent of fraud within and against their companies. She said that
said many financial institutions were too frightened to report
fraud, fearing damage to their reputations. And of course sometimes
it’s the bosses who are perpetrating the fraud in the first place,
so they are doubly unlikely to report it.

The danger here is that firms are losing more money by turning a
blind eye to fraud than they would by trying to prevent it or deal
with it effectively after it has been discovered. An effective
management process for operational risk will cover fraud, so
Sergeant seems to be suggesting that many insurance companies’
processes fall short in this area. In the future, if the proposals
in CP190 and CP195 are adopted, the FSA’s view that a firm is not
doing enough in this area may prove expensive (see below).

Carol Sergeant’s speech is at
http://www.fsa.gov.uk/pubs/speeches/sp148.html

Rosalind Wright’s speech is reported at
http://www.thisislondon.co.uk/news/business/articles/timid67636?source

===============
3. FSA update

Following CP190, setting out proposals on capital requirements for
non life insurers, we now have CP195 for life insurers. Like CP190,
it is full of acronyms. After going through various mathematical
calculations, such as the MCR and ECR (which involve the LTICR and
WPICC) we get to the RCM. However, after all the sums are done, the
acronym that really matters is the ICG, or individual capital
guidance. This will set out the FSA’s view of the capital that is
adequate for the firm’s individual circumstances. The various
mathematical acronyms will be taken into account, but so will other
factors. Section 4.17 says “The more firms are able to demonstrate
that their risk assessment processes capture and quantify all of
the issues in our guidance, then the lower we are likely to assess
their ICG (and vice versa). This provides an incentive for good
risk management.” The overall message from CP195 is the same as
that from CP190: risk management processes matter.

New consultation and discussion papers out this month:
—————————————————–

CP195 Enhanced capital requirements and individual capital
assessments for life insurers
CP196 Implementation of the Distance Marketing Directive: proposed
rules and guidance
CP197 Reporting requirements for mortgage, insurance and investment
firms, and supplementary consultation on audit requirements
CP198 Regulatory reporting – a new integrated approach
CP199 Miscellaneous amendments to the Handbook (No. 10)

Feedback published this month:
—————————–

CP159 Appointed representatives – extending the current
regime. Feedback on CP159 and ‘near final’ rules
CP174 Prudential and other requirements for mortgage firms and
insurance intermediaries – Feedback on CP174 and ‘near
final’ text

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Wild blackberries

From Wired (http://www.wired.com/news/print/0,1294,60052,00.html):
“The eBay ad read ‘BlackBerry RIM sold AS IS!’ So Eugene Sacks (not
his real name), a Seattle computer consultant who always wanted one
of the pager-size devices to check his e-mail, sent in a bid. For
just $15.50, he bought the wireless device with 4 MB of memory. The
BlackBerry didn’t come with a cable, synching station, software or
a manual. But it did come with something even more valuable: a
trove of corporate data.

“After popping a battery into the BlackBerry’s back panel, Sacks
discovered a few things the previous owner wouldn’t have wanted him
to see — more than 200 internal company e-mails from financial
services firm Morgan Stanley and a database of more than 1,000
names, job titles (from vice presidents to managing directors),
e-mail addresses and phone numbers (some of them home numbers) for
Morgan Stanley executives worldwide.”

And then we hear that some ridiculous number of government laptops
go AWOL: “at least 60 of the 200 MoD and government laptops lost or
stolen will have contained sensitive information.”
(Report at http://news.bbc.co.uk/1/hi/technology/3109602.stm).

Meanwhile, in Australia, a couple of people just walked into a high
security computer facility and made off with two computers on a
trolley. The report says “The brazen theft has prompted Australia’s
top security agencies to conduct emergency damage audits amid fears
that terrorists may have gained access to highly sensitive
intelligence from the computers.”
(At http://www.smh.com.au/articles/2003/09/04/1062548967124.html)

We sometimes forget that sensitive information on a computer can
physically get into the wrong hands.

===============
5. Newsletter information

Newsletter Old site

Newsletter Aug 2003

Post author By Louise Pryor
Post date 27 August 2003

News update 2003-08: August 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Web site accessibility
2. Time is money
3. Viruses multiply
4. FSA update
5. EuSpRIG
6. Newsletter information

===============
1. Web site accessibility

So you get these whizzy web site designers in, all dressed in
black, and they produce some very artistic story boards showing
possible designs. You choose one, they develop a prototype and give
you a demonstration. It looks great. Technically sophisticated.
Right up to the minute, design wise. It’s going to be a big
marketing advantage, right?

Well, not necessarily. When they demonstrated it to you, it worked
really quickly, but what would it be like downloading over a phone
line? It looked cool in Internet Explorer, but what about in other
browsers?

You may think that only a few people use other browsers, or don’t
have Flash installed, or will complain if they can’t adjust the
size of the text, but those few people may hit your pocket hard.
First, a small proportion of a lot of people is still a lot of
people, and implicitly denying them access to your site is not
going to help your marketing effort. Second, some people use other
browsers or avoid technologies such as Flash and javascript not by
choice but out of necessity. They may have visual impairments, or
not be able to use a mouse, or be disabled in some other way.

It is a legal requirement to make sites accessible to the disabled,
and the Royal National Institute for the Blind (RNIB) is apparently
backing a number of people who are taking court action. Companies
that are sued run the risk of having to pay compensation, and will
also receive some bad publicity.

Meanwhile, a survey of 96 of 99 FTSE 100 companies (don’t ask)
showed that 21 of them failed basic accessibility tests. The three
not surveyed were so impenetrable that they could not be tested at
all.

Blind sue over site failings: http://www.vnunet.com/News/1142213
Accessibility report:
http://www.business2www.com/news_article.html?news_current=6156

===============
2. Time is money and more

How much time do people in your organisation spend waiting for
spreadsheets to do their calculations? You might be surprised: it’s
not uncommon to see macros that take up to half an hour to
execute, or spreadsheets that take 10 seconds to recalculate. This
is clearly a productivity issue, but it has wider implications too.

If something takes a long time, you will do it less often. So if
you have a macro that is very slow, you are less likely to test it
thoroughly, and it is more likely to be wrong. In addition, you
aren’t going to explore the possibilities nearly as much as you
would if it took only a minute to run. For instance, you might not
spot some cases where the results are very sensitive to the inputs,
and place more trust in the calculated numbers than is warranted.

Slow recalculation can have even more pernicious effects. 10
seconds is too long to wait each time you make a change, so you
turn automatic recalculation off. You then make the changes you
want, and recalculate by hand. If you forget to recalculate, the
spreadsheet is in an inconsistent state and shows incorrect
results. Moreover, the automatic or manual recalculation setting in
Excel affects all spreadsheets, not only the one that was showing
when you changed the setting. So any other spreadsheets that you
use are likely to show inconsistent results too.

In most cases the use of some simple techniques can make all the
difference. I have speeded up macro execution from 15 minutes to 25
seconds, and recalculation time from 10 seconds to half a
second. In general, you want macros to take under a minute (with
some exceptions) and recalculation to take less than a second (with
no exceptions).

If you’ve got some slow spreadsheets that you’d like speeded up, do
get in touch by replying to this email.

Further discussion of this issue can be found in my paper at
http://www.louisepryor.com/papers/pryor-eusprig-2003.pdf
Other papers discussing various spreadsheet risks are at
http://www.louisepryor.com/articles.jsp

===============
3. Viruses and worms multiply

It just gets worse and worse. Both the Blaster worm and the Sobig.F
virus have been wreaking havoc over the last week or so. Then
there’s Nachi, which sort of fixes the Blaster problems but
introduces its own.

The following incidents have been reported:
– Defence contractor Lockheed Martin had less than 1 percent of its
systems infected, but still had disruptions.
– Railway and freight hauler CSX had to stop trains because of the
Nachi worm.
– Air Canada cancelled flights because its network couldn’t deal
with the amount of traffic generated by the Nachi worm.
– The Pentagon and US military had myriad infections of the Sobig.F
virus and the Nachi worm.
– Danish government ministries were forced to shut down their
machines after e-mails purporting to be from various government
ministers (including the grandmotherly agriculture minister)
promised “wicked screensavers” and “naughty movies” to
unsuspecting citizens.
– The Norwegian government’s central e-mail server, labouring under
a backlog of half a million messages, was forced to shut.
– The entire information technology network of Swedish-Swiss
engineering group ABB was affected by a new variant of the
Blaster worm.

Some of the press coverage has implied that only home users were
affected. This just isn’t the case. The risks are real.

To me, one of the scary things about Sobig.F is that it relies on
users. Nothing happens if you don’t open the mail attachment.
Apparently the warnings about not opening unexpected attachments
just haven’t got through.

Another problem is that Sobig.F “spoofs” the from address of the
emails it sends out. This means that it pretends to come from
another address entirely, often one it has found in the address
book of the infected machine. Virus software on mail servers often
sends automatic emails to the senders of infected messages, warning
of the infection and suggesting they do something about it. When
the from address has been spoofed, these emails go to the wrong
place, thus adding to the confusion (as well as to the number of
emails caused by the virus).

And the sheer volume of emails is amazing. Email filtering
companies were reporting millions of infected messages a day
(literally: one reported 1 million and another 2.6 million, five
times the usual number). Another company reported an infection rate
of 1 in 17 messages, compared to 1 in 138 for the previous top
threat. America Online usually checks 11 million messages a day (it
only checks messages that have attachments). At the height of the
infection it checked 31 million messages in one day, 11.5
million of which were infected. By my reckoning, this implies that
8.5 messages were probably generated by virus detection
software…

Further details at
http://news.zdnet.co.uk/internet/security/0,39020375,39115869,00.htm

===============
4. FSA update

The FSA, HM Treasury and the Bank of England have published a guide
to the Financial Services Action Plan (FSAP). The FSAP consists of
a set of measures intended by 2005 to fill gaps and remove the
remaining barriers to a Single Market in financial services across
the EU as a whole. The guide is at
http://www.fsa.gov.uk/pubs/other/fsap_guide.pdf. From the
introduction: “The guide is intended to provide an introduction to
the FSAP for the UK financial sector, corporate sector and consumer
groups, where they are not yet sufficiently familiar with its
potential impact, rather than for experts.”

New consultation and discussion papers out this month:
—————————————————–

CP191 Miscellaneous amendments to the Handbook (No. 9)
CP192 Further consultation on fees for mortgage firms and insurance
intermediaries
CP193 Professional Indemnity Insurance for personal investment
firms: proposed policy and rules
CP194 Amendments to the Training and Competence sourcebook:
including consultation on Competencies for Mortgage Advisers

DP22 Reducing money laundering risk – Know Your Customer and
anti-money laundering monitoring

Feedback published this month:
—————————–

CP163 The UCITS Management Directive: Implementing the UCITS
Amending Directive (2001/107/EC) – Feedback on CP163 and made
text
CP168 Consolidated policy statement on our fee raising framework –
As at July 2003 (including feedback on CP168)

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. EuSpRIG

In July I attended the Fourth Annual Conference of the European
Spreadsheet Risks Interest Group, held in Dublin. It was a busy
couple of days, with many interesting papers. The participants were
a varied crowd, ranging from academics through consultants to
spreadsheet users. There were many good exchanges of views.

The keynote address was given by Dean Buckner of the FSA, who is
apparently quite worried about the way many firms are handling (or
not handling) the risks of end-user computing. A big problem is
that spreadsheets (and databases – a lot of use is made of Access)
are not taken seriously: “we’ll introduce a real system soon, so
it’s not worth worrying about the spreadsheets as they’ll just
disappear.” Well, they may or may not disappear in the future (my
guess is not), but they are here now and pose real risks. If you’d
like to know more, just get in touch by replying to this email.

If you are at all interested in spreadsheet risks you should sign
up for the EuSpRIG mailing list at
http://groups.yahoo.com/group/eusprig. It’s very low volume, and
you’ll be kept up to date on EuSpRIG and the next
conference. EuSpRIG’s site is at http://www.eusprig.org/, where you
can find a full report of the recent conference.

===============
6. Newsletter information

Newsletter Old site

Newsletter Jul 2003

Post author By Louise Pryor
Post date 22 July 2003

News update 2003-07: July 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

Stop press
==========

Just as I was about to send this out, the FSA released “Building a
framework for operational risk management: the FSA’s observations –
Feedback on industry practice as we prepare to implement CP142”
available at http://www.fsa.gov.uk/pubs/policy/ps142_2/. The document
gives the results of a thematic review performed by the FSA. It
discusses issues firms consider as they establish operational risk
frameworks, and presents the FSA’s conclusions. It’s clearly essential
reading for everyone involved in operational risk.

In this issue:
1. Ganging a-gley
2. PDAs are dangerous
3. Counting the zeros
4. FSA update
5. Content filtering
6. Newsletter information

===============
1. Ganging a-gley

“the best laid schemes o’ mice an’ men, Gang aft a-gley” as Robert
Burns said in 1786. 217 years later, we can only agree. Recent
visitors to the web site of the Actuarial Profession at
www.actuaries.org.uk may have noticed messages from the Chief
Executive on the front page, one explaining that there were
problems with the web site and email, and then a few weeks later
one saying that everything was now working correctly. The problems
arose from major changes to the IT infrastructure.

Apparently it had become necessary to change operating systems. The
changes turned out to be both major and complex: there were all
sorts of interdependencies which meant that many things had to be
changed simultaneously. In the middle of all this, an unconnected
piece of hardware (which was due for replacement shortly anyway)
decided to give up the ghost. As part of the fallout email was
unreliable for some time, and didn’t function at all for a
period. Several communications to the members of the profession
were made by snail mail instead.

This type of problem is not unusual. It was possibly more visible
than it would have been in some organisations because the Actuarial
Profession has made good use of new technologies and relies on the
web and email for most of its communications with the membership.

It does remind us, though, that change of any sort is one of the
biggest causes of operational risk. It is often difficult to
predict the precise effects of any change; in addition, it is
extremely difficult to make full contingency plans for complex
changes. Unfortunately change eventually becomes necessary.

We all know that it is best to make several small changes instead
of one large one; to pilot the changes first; and to do the whole
thing in such a way that you can back out of the changes at any
stages. Unfortunately these things are often easier said than
done. Also, change tends to become more risky over time. Small
changes are made over an extended period, as performance is
tweaked, new functionality added, and so on. These small changes
tend to make use of what is there already, thus introducing further
interdependencies. As time goes on, and it is recognised that
interdependency creep has taken hold, so the risks of major changes
are recognised and they are less likely to occur. It’s all a
vicious circle.

By the way, most of the points I’m making here are not specific to
IT systems, but apply to any systems or processes in the
organisation.

And finally, you can’t rely on just one thing going wrong at once
(see also the April issue of this newsletter, at
http://www.louisepryor.com/showNews.do?issue=030422). This is
especially true in IT, but applies elsewhere too. Remember that
Murphy was with Burns on this one.

===============
2. PDAs are dangerous

Last month I discussed two surveys that showed how dangerous life
is, bemoaning the lack of business continuity arrangements and
effective backups. The not entirely disinterested survey this month
was conducted on behalf of PointSec, a company that specialises in
protecting mobile devices.

According to the survey, a third of employees who have PDAs are
leaving sensitive information unprotected on them. (As usual, I
have only been able to find press reports of the survey, all
written from the same press release, so I don’t know what the real
results are). Many people store use them to store business names
and addresses, bank account details, personal information,
passwords and PINs, and corporate information. Not only could a
thief or finder steal the owner’s identity, they could also pose a
real threat to the owner’s employer.

The press release is at
http://www.infosec.co.uk/page.cfm/Action=Press/PressID=4/t=m

Useful utilities for protecting confidential information on your
PDA are SplashId (www.splashdata.com, PalmOs only) and eWallet
(http://www.iliumsoft.com/site/ew/ewallet.htm, PalmOs and
PocketPC).

===============
3. Counting the zeros

There were “wild market swings” on 3rd July when someone entered an
order to sell 10,000 contracts in Chicago Board of Trade e-mini Dow
Jones Industrial Average futures. Apparently people feared that
something dreadful such as a terrorist attack had happened, but in
fact it was simply an erroneous entry in the trading system. The
trader had intended to sell 100 contracts.

These “wrong big figure” quotes are reasonably frequent. There are
many contracts and trading agreements out there that mention them
specifically (do a search on the phrase to see examples). The
trouble is that it’s difficult to stop them happening. Make the
user confirm all their entries, and they get used to hitting enter
twice instead of once, so the error just goes straight
through. Don’t make them confirm, and the error just goes straight
through. The best answer is probably to be a bit intelligent about
it: ask for confirmation in special cases, when the volume, or
price, or other measure, is significantly different from the norm
for that trader, or that contract or stock, or for the market as a
whole. It’s more difficult to implement, but more likely to stop
the problem.

Apparently at the time this happened a contract was worth roughly
$45,000, so the sell order was worth about $450m instead of
$4.5m. Seems like quite a difference to me.

There’s a description of the incident at
http://news.morningstar.com/news/DJ/M07/D03/1057291261351.html

===============
4. FSA update

John Tiner is to be the new Chief Executive at the FSA. He was not
by any means considered an outsider for the post, and on the whole
his appointment was welcomed. There is likely to be some internal
reorganisation after he takes over in September, but no radical
overhaul of the way that the FSA approaches its duties.

CP190, the long awaited consultation paper on capital requirements
for non-life insurers, has been released at last. It’s long, so few
people will yet have had time to digest it fully. I was
particularly interested in the discussion of the ICG (Individual
Capital Guidance). Basically, firms will be expected to calculate
their ECR (Enhanced Capital Requirement), learn a whole new set of
TLAs (Three Letter Acronyms), and assess their capital requirements
in the light of both their calculated ECR and how their individual
risk profile differs from that used in the ECR calculations. The
ICG will be guidance from the FSA on this, and will be consistent
with the Arrow risk assessments. It looks as if there will be a
real incentive to have a robust and workable risk management
framework.

This is all consistent with the FSA’s stated aim of getting better
risk awareness and management amongst senior managers. The FSA also
say that the current rate of failure through insolvency is too
high, and that higher levels of capital should help to cut the
rate. The implication is that better risk management practices
should also reduce insolvencies, a theory that is borne out by the
paper on insurance company failures issued late last year (see
http://www.louisepryor.com/showNews.do?issue=030120 and
http://www.fsa.gov.uk/pubs/occpapers/op20.pdf).

The FSA has recently conducted a review of liability insurers,
during the course of which they identified a number of good
practice indicators. Showing every sign of extreme consistency, a
number of these are to do with the insurer encouraging good risk
management practices in their policy holders.

New consultation and discussion papers out this month:
—————————————————–

CP187 Insurance selling and administration & other miscellaneous
amendments
CP188 Clarification and revision of financial promotion Rules and
Guidance
CP189 Report and first consultation on the implementation of the
new Basel and EU Capital Adequacy Standards
CP190 Enhanced capital requirements and individual capital
assessments for non-life insurers

Feedback published this month:
—————————–

CP136 Individual capital adequacy standards
CP143 Integrated Prudential sourcebook – Feedback on chapters of
CP97 applicable to insurance firms and supplementary
consultation
CP153 Alternative trading systems
CP157 Examination Framework for Retail Financial Services
CP160 Insurance selling and administration – the FSA’s
high-level approach to regulation
CP165 Miscellaneous amendments to the Handbook (No.6)
CP167 With-profits governance and the role of actuaries in life
insurers
CP175 Miscellaneous amendments to the Handbook (No. 7)

DP19 Options for regulating the sale of “simplified investment
products”

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Content filtering

Last month I discussed the dangers of some viruses and fake viruses
that are currently doing the rounds. Some readers failed to receive
the benefit of my wisdom because their firewalls refused to let the
email through, thinking it might be dangerous. This happened
because they use “content filtering”: blocking emails that contain
certain content, usually words that are generally associated with
spam or snippets of text that are contained in undesirable
emails. The last issue contained the word j d b g m g r, and this
was enough to trigger blocking at a number of sites.

It’s difficult to know exactly, but there were at least 6 domains
that blocked the email completely, and another 2 or 3 that delayed
delivery (presumably it had to be checked out by hand). This is out
of a total of about 90 domains that the newsletter is delivered
to. There may have been more delivery failures that I never found
out about. The issue is available in full on the web site at
http://www.louisepryor.com/showNews.do?issue=030626 if you missed
it.

In this case there was no real harm done by content filtering, but
in general it is not a good idea, as its hit rate on innocent email
can be too high. Given any word or phrase that might be filtered on
(pick any body part that only 50% of people have, for example) and
it is possible to come up with an example of a totally legitimate
email containing that word. Admittedly content filtering is more
reliable in a corporate context than it is for general service
providers such as ISPs, but there are still many exceptions. My
last newsletter was, I like to think, one of them.

I had some interesting correspondence with the support staff at
some of the affected domains: some were extremely helpful and
friendly, but had no easy way of overriding the block, others were
more complacent. For example, one said “We screen for viruses and
hoaxes and are authorative for our internal users – any other virus
related communications are potential social engineering attacks,
and are filtered at the internet mail gateways.” In other words, in
this organisation the internal users are kept in ignorance of the
exact nature of the threats. I believe this is a high risk
policy. It will work so long as their filtering at internet mail
gateways is totally effective, and is always updated before a
potential threat arrives. It will not work if there is any way of
getting round the protection; for example, taking a laptop home and
using it to read email from a personal mail account. To my mind,
informed users are more likely to be safe users.

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email news-subscribe@louisepryor.com. To
unsubscribe, email news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.

Newsletter Old site

Newsletter Jun 2003

Post author By Louise Pryor
Post date 26 June 2003

News update 2003-06: June 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Pasting is dangerous (1)
2. Pasting is dangerous (2)
3. Do you have effective backups?
4. FSA update
5. Virus (and non virus) dangers
6. Newsletter information

===============
1. Pasting is dangerous (1)

Next time you paste some figures into a spreadsheet, be afraid. Be
very afraid. Someone at TransAlta Corporation managed to lose $24m
(Canadian) through a “clerical error” in pasting into an Excel
spreadsheet. The spreadsheet in question was used to submit bids
to the New York Independent System Operator (New York ISO) for May
2003 transmission congestion contracts (TCCs). It’s not really
important to understand what TCCs are: the crux of the problem is
that you put bids in at the end of one month that affect the prices
you pay during the next. Once submitted, the bids can’t be
retracted. Because of the spreadsheet error, TransAlta ended up
with more TCCs than they wanted, and at higher prices than they
intended. They didn’t spot the error until they were notified that
their bids had been successful.

There are at least two operational failures evident in this
story.

First, the whole thing was an accident waiting to happen if pasting
numbers into the spreadsheet was part of the normal process of
preparing these bids. Manual pasting is notoriously prone to
errors. If data has to be transferred between spreadsheets,
automatic links (used with appropriate precautions) or automated
copying and pasting via macros (ditto) are much safer. If the
pasting was unusual, then extra care should have been taken and
more thorough testing should have been performed.

Which brings us to the second failure. How come the error wasn’t
found before the bids were submitted? The answer has got to be
that there was inadequate review and testing. I suspect that there
weren’t formal tests, and that the reviewing was not systematic. It
isn’t difficult to devise effective reviewing procedures that
should pick up this sort of problem (we are told that the error was
caused by mismatching bids and prices, which implies that the error
was due to misaligning the pasted region).

A transcript of the investor conference at which the error was
explained can be found at http://dupleish.notlong.com. A brief
summary is at http://www.theregister.co.uk/content/67/31298.html.

===============
2. Pasting is dangerous (2)

Just the other day a similar error was discovered before it was too
late. The error came to light in a university examiners meeting:
the spreadsheet containing the marks for a small joint degree (3 or
4 students) was found to be wrong. The numbers just didn’t make
sense, as the average marks were inconsistent with the range of
individual marks. The numbers were recalculated by hand before the
end of the examiners meeting, and no harm was done, let alone $24m
worth.

The problem was caused (again) by copying and pasting: the formulae
were correct in the first row, but not in the later rows. History
doesn’t relate, but presumably it was a question of relative versus
absolute references.

The spreadsheet had actually been checked before the meeting by the
Chair of one of the departments involved. Unfortunately, the check
had been confined to the first row, which was indeed correct.

There are several morals to this story.
– be very afraid when copying and pasting
– don’t rely on checking the formulae, look at overall
reasonableness too
– if you’re checking a representative sample of formulae, remember
that the first row (or first column) probably isn’t
representative.

===============
3. Do you have effective backups?

A survey of 100 IT managers at Fortune 1000 companies indicates
that about 60% of corporate data is stored on desktop PCs or on
laptops; and 80% of PC users don’t have effective backups for data
or configuration settings.

Meanwhile, another survey showed that 80% of UK SMEs have no
business continuity plan in place at all.

If true, these figures show that there is an accident waiting to
happen, but it should be noted that both surveys were conducted by
interested parties. CoreProtect (http://www.coreprotect.com) sells
products to back up configuration settings, and Xbridge
(http://www.xbridge.com) is trying to encourage firms to take out
business continuity insurance. I have been unable to track down any
information about either survey on their respective web sites.

The surveys were reported by out-law.com (available at
http://empfissa.notlong.com) and Yahoo
(http://biz.yahoo.com/prnews/030528/law046_1.html).

I may not have confidence in the actual figures quoted in these
reports, but I certainly believe that backups from desktops and
(especially) laptops are not as thorough as could be desired. Users
have a nasty habit of storing files locally rather than on shared
server drives. Of course, with laptops they pretty much have to do
that.

Of course in some ways the use of laptops may help business
continuity; the laptop (and its unbacked up data) may be available
when the servers aren’t. But it’s probably more likely that
something bad will happen to the laptop (injury, theft, or
whatever) and the server will remain intact, but without the vital
data.

===============
4. FSA update

This has been a very light month for consultation and feedback.
However, there have been a couple of somewhat interesting
publications.

The Annual Report for 2002/3 was issued in the middle of June. It
comes in two flavours, the full version with 221 pages and a
summary with 48 pages. One of the most useful parts is the
organisational chart at the end (of the summary version, at least;
I haven’t downloaded the 8.59MB of the full version).
Both versions are available from
http://www.fsa.gov.uk/pubs/annual/ar02_03/index.html

On 12th June Michael Foot gave a speech to the City and Financial
Conference on Operational Risk on “Operational risk management –
Best practice strategies in light of final Basel proposals.” He
talked about why operational risk has a higher profile than in the
past, and why this will continue into the future. The FSA is taking
operational risk very seriously, as it affects three of the four
statutory objectives. It has recently undertaken a survey of
operational risk management practices, which will shortly be
published. A big issue is going to be implementation of Basel 2 as
the timetable is fixed (and the proposals aren’t final yet). Foot
didn’t talk about the EU proposals and their effect on non
banks. The speech is available at
http://www.fsa.gov.uk/pubs/speeches/sp135.html

New consultation and discussion papers out this month:
—————————————————–

No consultation or discussion papers have been issued since my last
newsletter

Feedback published this month:
—————————–

CP169 Professional Indemnity Insurance for personal investment
firms

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Virus (and non virus) dangers

A few weeks ago we heard a lot about the Bugbear.B virus. It was,
we were told, going to create havoc in financial institutions; it
contained a list of domain names, and if it found itself in one of
those domains it would turn on key-logging capabilities and then
email sensitive data, including passwords, to specified email
addresses.

So what happened? Not a lot, really. Many people were infected,
but they were mostly home users rather than financial
institutions. It turns out that most financial institutions have
pretty effective anti virus and firewall software in place
(sometimes too effective; it can be difficult to get genuine files
through some of them). On the other hand, home users often don’t
have up to date anti virus protection, and only rarely use
firewalls.

I usually feel a little smug at this point; even without anti virus
software I would be less vulnerable than many people. I don’t use
Outlook, and in particular I use a mail program (The Bat!) that
doesn’t use the Windows address book. This means that even if I am
infected, I won’t infect other people. Also, I use the option to
read my email as text rather than HTML. One of Bugbear.B’s nasty
little habits is to use a bug in some versions of Internet
Explorer, whose code is used to display HTML mail in Outlook and
some other mail readers. This bug means that some mail attachments
are automatically opened; if they contain viruses, all is lost.

Meanwhile, there was another spate of the hoax jdbgmgr virus. Every
so often I get sent email telling me that there is a new virus on
the loose, and that I can tell that I have been affected if there
is a file called jdbgmgr.exe. The message will go on to say that
anti virus software won’t detect the file, and that I should delete
it immediately, before sending email to everyone whose address I
have to warn them of the problem.

The file isn’t detected by the anti virus software because it’s not
a virus. It’s a perfectly harmless file that will be found on most
Windows systems. Luckily it’s not often used, so deleting it won’t
do any harm.

I find it amazing that people will jump in and delete a file from
their computer on the say so of a random acquaintance. The people I
have received this hoax from are not, on the whole, people I am in
regular contact with, and are typically not people I would consider
to be particularly knowledgeable about computers (the exception was
a Professor of Computer Science, but he may not often get his hands
dirty nowadays). It’s very lucky that more damage hasn’t been done;
people could completely wreck their systems if they deleted the
wrong files without knowing what they were doing.

It is very easy to tell if email like this is genuine: use
Google. Just search for “jdbgmgr” (in this case) and see what you
get.

Symantec’s information on Bugbear.B can be found at
http://bobwomia.notlong.com

Free firewalls for home use include Tiny Personal Firewall
(http://www.tinysoftware.com/home/tiny2?la=EN) and ZoneAlarm
(http://www.zonelabs.com/store/content/home.jsp).

The Bat! is at http://www.ritlabs.com/the_bat/. Other free, or
cheap, mail readers that don’t use the Windows address book are
Eudora (http://www.eudora.com) and Pegasus Mail
(http://www.pmail.com/index.cfm).

Symantec’s information on the hoax virus is at
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

===============
6. Newsletter information

Newsletter Old site

Newsletter May 2003

Post author By Louise Pryor
Post date 26 May 2003

News update 2003-05: May 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Human error
2. Non human error?
3. FSA update
4. Correspondence
5. Newsletter information

===============
1. Human error

CompTIA, the Computing Technology Industry Association, recently
released a white paper on computer security. They surveyed 638
professionals in North America. The principal results were:

– 31% had between one and three major security breaches in the last
six months.
– Human error was the primary cause of 34% of the most recent
breaches; intentional action 29%, and technical malfunction 8%,
and combination of human error and technical malfunction
29%. Human error was thus implicated in 63%.
– 57% of organisations had no comprehensive written IT security
policy in place.
– About 20% of organisations had no IT staff with security-related
training.

The survey apparently included respondents from the educational,
governmental, financial, and IT sectors among others. There seems
no real reason to think that the situation is substantially
different in the UK.

Human error is clearly a big problem; the figures above indicate
that in a six month period it may cause at least one major security
breach in 20% of organisations. The report doesn’t analyse the
causes in any more detail, but two possible reasons for human error
are poor user interfaces and documentation combined with complex
systems, and lack of training. Human error can occur among users as
well as among IT professionals; passwords are an obvious problem
area, as is software installation.

The report also shows that many organisations don’t take computer
security seriously. The “it won’t happen to us” mentality is
clearly alive and kicking. Human error is much more likely where
there is no comprehensive IT security policy in place; people may
simply not know that their behaviour is dangerous.

As in so many areas, ignorance is the big problem: people either
don’t know what they should (or shouldn’t) be doing, or they know
the correct procedures and ignore them. Education and training are
necessary, but so is a commitment to good practice that runs
throughout the organisation.

Committing to Security: A CompTIA Analysis of IT Security and the
Workforce is available at
http://www.comptia.org/research/whitepapers.asp?topic=Security

===============
2. Non human error?

You might think that one way to eliminate human error is to
automate the process, whatever it might be. However, automation can
lead to different problems, and anyway people are nearly always
involved at some stage.

A woman in Seattle is suing Farmers Insurance Company of
Washington, claiming that the company uses an expert system to
provide inaccurately low estimates of automobile-related
injuries. She argues that she would have taken her business
elsewhere if she had known the company would use a computer to
judge how much her life was worth. “They didn’t even come out to
see me,” Barbara Martin said. “How could they know me or what
happened to me?”

The expert system in question is Colossus, a product of Computer
Sciences Corporation (CSC). It is fairly clear from CSC’s web site
that Colossus, which they describe as “the industry’s leading
expert system for evaluating bodily injury claims,” is used
interactively by a claims adjuster. Indeed, it’s difficult to see
how it could be otherwise. The results produced by Colossus thus
depend on what information is available to the claims adjuster and
how that information is interpreted. As usual, “Garbage In, Garbage
Out” applies.

The complaints about Colossus aren’t new. Two former employees of
Farmers were sued for saying that Colossus places unfairly low
values on personal-injury claims. They claimed that Farmers
adjusted Colossus so that its estimates were consistently below
those of experienced claims adjusters.

I know no more about this case and Colossus than I have read in the
papers and on CSC’s web site (see references at the end of this
section), but it seems to me that several issues are being
conflated here.

– Mrs Martin says that she was never visited by a claims adjuster,
and that Farmers therefore couldn’t have had accurate information
about her injuries and their effects. This issue is independent
of whether Colossus was used or not.

– People don’t trust computers. They don’t like the idea of
decisions that affect them significantly being made by a
collection of silicon chips. On the whole, people doubt whether
computers can understand the subtleties of their particular
circumstances: we see this to a lesser extent with credit rating
systems, for example.

– Although CSC claim that Colossus should be used as a guide rather
than as an infallible source of estimates, it is very possible
that in practice it is rare for claims adjusters to disagree with
the numbers it produces. This effect might be due to corporate
culture, pressure on people to conform, but may also be because,
somewhat inconsistently, people do seem to trust computer systems
that they actually use themselves.

– There is a belief that this particular expert system has been
made to produce artificially low claims estimates. Of course it’s
entirely possible that its estimates are below those of human
claims adjusters. Possibly Farmers had thought that its claims
were getting out of hand. However, a reduction could have been
accomplished without Colossus by simply instructing the adjusters
to reduce their estimates. The use of Colossus would however help
to enforce a general lowering of estimates.

On the whole it looks as if the use of Colossus is a peg on which
various concerns are being hung. Clearly its use is perceived as
threatening by both customers and employees. Possibly management
are using it as a shield, rather than taking responsibility for
events themselves.

There is some good scaremongering going on in the press: “About
half of insurance companies that operate in the United States,
including some of the largest, such as Aetna, Hartford Financial
Services and Zurich Personal Injury, use the Colossus program. But
those companies have done a good job suppressing information about
the program. Colossus is not mentioned in insurance policies or
advertising brochures. Neither is the fact that claims are being
adjusted by computer.”

A description of Colossus can be found at
http://www.csc-fs.com/MARKETS/detail/cc_COLOSSUS.asp
There’s coverage of the story at
http://seattlepi.nwsource.com/local/122105_colossus15xx.html
and http://seattlepi.nwsource.com/local/93620_insurance31.shtml

===============
3. FSA update

Looking at the lists of new consultations and feedback out within
the last month I was struck by the imbalance: 8 new CPs, and
feedback to only 4 CPs. Are things getting out of hand? When I
investigated further, however, I was less worried. A number of CPs
never get explicit feedback documents of their own, but are dealt
with in the monthly Handbook Notices. These are mostly “small” CPs,
such as the series on Miscellaneous amendments to the Handbook,
which often have very few responses or even none at all.
Unfortunately the relevant Handbook Notices aren’t referenced on
the main CP web pages, which continue to say that “Response Paper
will be available at the end of the consultation process”. I have
also found at least one CP that does have feedback, including a
policy statement, that is not referenced from the main CP page
(CP138).

So if you are particularly eager to find out if there is feedback
on a CP, your best bet is to use the FSA search facility, which
works very well, to search for all references to it (eg, entering
CP138 as the search term will show you the relevant feedback).

New consultation and discussion papers out this month:
—————————————————–

CP179 The Authorisation manual – Draft perimeter guidance on
activities related to pension schemes
CP180 Fees for mortgage firms and insurance intermediaries
CP181 The Interim Prudential Sourcebooks for Insurers and Friendly
Societies: Implementation of the Solvency I Directives
(2002/12/EC and 2002/13/EC)
CP182 Proposed changes to the Listing Rules to take account of the
introduction of treasury shares
CP183 Standardising past performance – Including feedback on CP132
CP184 Miscellaneous amendments to the Handbook (No.8)
CP185 The CIS sourcebook – A new approach
CP186 Mortgage regulation: Draft conduct of business rules and
feedback on CP146

Feedback published this month:
—————————–

CP132 The presentation of past performance and bond fund yields in
financial promotions
CP146 The FSA’s approach to regulating mortgage sales
CP149 Market abuse: Pre-hedging convertible and exchangeable bond
issues
CP168 Fees 2003/04

DP17 Short selling

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Correspondence

Contributions are anonymous this month as I hadn’t warned people
that they might be quoted. In future, I’ll use your name unless you
say otherwise.

Last month I chatted about the problems of public holidays in
Scotland, where they are both different from those in England and
vary between cities. A reader wrote:

On the subject of Bank Holidays, I was surprised shortly after I
moved to India to find that unlike England, where I think Bank
Holidays are called that because even bank staff get them, here
Bank Holidays are called that for the opposite reason – only
bank staff get them.

I also talked about how difficult it is to ensure that software has
no errors, unless it has been so rigorously specified that it can
be proved to be correct. I received the comment:

and in that case, the specification will contain bugs 🙂

or the proof will…

===============
5. Newsletter information

Newsletter Old site

Newsletter Apr 2003

Post author By Louise Pryor
Post date 22 April 2003

News update 2003-04: April 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Subscribe by
sending an email to news-subscribe@louisepryor.com. Unsubscribe by
sending an email to news-unsubscribe@louisepryor.com. Newsletter
archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Troubles never come singly
2. Troubles come in threes (or more)
3. It’s the model that matters
4. FSA update
5. Public Holidays
6. Newsletter information

===============
1. Troubles never come singly

On 9th April the public power supply at Demon Internet’s Network
Operations Centre at Finchley failed. The standby generator started
up as expected; but a fault then occurred in the power control
system so that it couldn’t be used to run the equipment. At this
stage the backup batteries were the only source of power.
Unfortunately they ran out before the power control system could be
put back in action. This wasn’t really surprising, as they are only
intended for use while the generator is being started up. Several
services were affected.

The public power supply was eventually restored some hours later,
but meanwhile there had been a build up of email. Quotas had been
impose on customers during the outage, and some messages were
returned to sender as quotas were exceeded. There were also some
messages that were corrupted during the outage, and could not be
delivered at all.

The problem is that you can’t rely on just one thing going wrong at
a time. And even if Demon had had another line of defence (after
the batteries), there is no guarantee that it wouldn’t have gone
wrong too. However much you try to control risk by taking
preventative action, you just can’t be sure that you’ve done enough
– and it may not be cost effective, anyway.

Demon press releases can be found at
http://www.demon.net/helpdesk/announce/2003/da2003-04-10a.shtml
http://www.demon.net/helpdesk/announce/2003/da2003-04-15a.shtml

===============
2. Troubles come in threes (or more)

During March this year one of Danske Bank’s two main operating
centres was out of action for a week. During this period the bank’s
trading desks, currency exchange and communications with other
banks were shut down. Reports say that the episode had some effects
on the Danish economy; that the Nationalbanken was forced to inject
5 billion kroners into the banking sector to help push transactions
through; and that direct and indirect losses to Danske Bank could
amount to 50 million kroners ($7.2 mill USD).

It all started during the routine replacement of a defective
electrical unit in an IBM disk system. There was an electrical
outage in the disk system, which caused operations at the operating
centre to come to a halt. A few hours later, the disk system was
operational again and the overnight batch runs were started. It
soon became evident that they were not running correctly.

Apparently there was a software bug in the DB2 database system that
Danske Bank uses, and although the database system had restarted
normally after the breakdown there were inconsistencies in the
data. This bug had been present in all similar DB2 systems
installed since 1997, but this was the first time that the right
(or wrong) combination of circumstances had occurred to trigger the
problem.

Worse was to come. During the data recovery process, which in the
end took four days, three more hitherto unknown bugs were
discovered in DB2. The final one (and, reading between the lines of
the Danske Bank report, the final straw) was a problem that
“resulted in new episodes of inconsistent data that had to be
recreated by other methods. This made the process longer and more
complicated.” They eventually used back up data from their other
main operating centre, rather than wait for the software patch from
IBM.

Things could have been worse. Because Danske Bank had two operating
centres, some of their services were completely unaffected.
Moreover, it looks as if their backup (and restoration) procedures
worked when they needed to.

In 1789 Benjamin Franklin wrote “In this world nothing can be said
to be certain, except death and taxes.” Nowadays we should add
software bugs to the list. Until software has been tested under
every possible combination of circumstances, or unless it has been
so rigorously specified that it can be proved to be correct, it is
likely to contain bugs, and those bugs may cause significant
problems.

There’s a brief description of what happened at
http://www.theregister.co.uk/content/53/30095.html
Danske Bank’s report on the incident can be found at
http://frequyff.notlong.com

===============
3. It’s the model that matters

At a press conference on 8th April, Admiral Hal Gehman, Chairman of
the Columbia Accident Investigation Board, discussed the model that
was used to analyse the impact damage due to debris. If you recall,
the prevalent theory is that this was a major cause of the
disaster.

He said “It’s a rudimentary kind of model. It’s essentially an
Excel spreadsheet with numbers that go down, and it’s not really
not a computational model.” The implication seems to be that
computational models and Excel spreadsheets are incompatible.

However, this is not the case. The real problem with the model was
not its implementation, but its basic structure. Apparently it’s a
lookup table, populated with data from controlled experiments.
Unfortunately the piece of debris under consideration is thought to
have had a mass of about 1kg, much larger than any of the
experimental objects. The trouble with lookup tables is that they
are not much good when it comes to extrapolation beyond the limits
of the data.

A predictive model would obviously be more computationally complex,
but that does not mean that it would not be possible to implement
it in Excel. If the financial services industry is anything to go
by, computational complexity has never been a reason for avoiding
Excel. On the other hand, implementation in Excel might well be
inadvisable, because there are few Excel developers who have the
software engineering background to build a sufficiently well tested
and robust implementation.

The transcript of the press conference is at
http://www.caib.us/news/press_briefings/pb030408.html

===============
4. FSA update

Callum McCarthy has been appointed as the new Chairman of the FSA,
taking over from Howard Davies on 22nd September. Unlike Davies,
McCarthy will not combine the position with that of Chief
Executive. The plan is to appoint a new Chief Executive before
September.

According to my count, when McCarthy joins the Board of the FSA
joins there will be thirteen external members, seven of whom have
been in the banking industry at some time during their careers.
There are no external members from the insurance industry, and only
one from investment management.

New consultation and discussion papers out this month:
—————————————————–

CP176 Bundled Brokerage and Soft Commission Arrangements
CP177 Lloyd’s policyholders: Review of compensation arrangements
CP178 Review of prudential regulation of the Lloyd’s market

Feedback published this month:
—————————–

CP148 The FSA’s approach to the use of its powers under
The Unfair Terms in Consumer Contracts Regulations 1999

DP16 Hedge funds and the FSA

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Public Holidays

The annual confusion has started again. Those of you who live in
England (or many other countries) probably expect to believe their
diaries when the word “Bank Holiday” appears. Those of us in
Scotland know better.

Many bank holidays are public holidays only in England and
Wales. There are no equivalents in Scotland: when the public
holidays are depends on the city. In Edinburgh, for example, we
have public holidays this year on 1st and 2nd January, 14th April
(Edinburgh Spring Holiday), 5th May (May Day), 19th May (Victoria
Day), 15th September (Edinburgh Autumn Holiday), Christmas Day
and Boxing Day. It wasn’t entirely clear to me whether Good Friday
and Easter Monday were holidays or not

However, banks tend to stick to the English bank holidays. Some
other businesses do that too. Others use the Edinburgh
holidays. Some give their employees a choice: take any 8 days as
long as they are either English or Edinburgh holidays. The problem
for many businesses, especially in the financial services sector,
is that customers from outside Scotland expect them to be around
when their English counterparts are.

===============
6. Newsletter information

Newsletter Old site

Newsletter Mar 2003

Post author By Louise Pryor
Post date 24 March 2003

News update 2003-03: March 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com). Comments and feedback to
news-admin@louisepryor.com. Subscribe by sending an email to
news-subscribe@louisepryor.com. Unsubscribe by sending an email to
news-unsubscribe@louisepryor.com. Newsletter archived at
http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Modelling problem
2. Spreadsheets: why test?
3. FSA update
4. Software versions
5. Newsletter information

===============
1. Modelling problem

On 6th March 2003 Provident Financial Group of Cincinnati announced
a restatement of its results for the five financial years from 1997
to 2002. Between 1997 and 1999 Provident created nine pools of car
leases. Part of the financial restatement was because the leases
were treated off balance sheet, rather than on balance sheet as was
later thought to be appropriate. But there was also a significant
restatement of earnings, because there was a mistake in the model
that calculated the debt amortisation for the leases. It appears
that the analysts who built the model used for the first pool “put
in the wrong value, and they didn’t accrue enough interest expense
over the deal term. The first model that was put together had the
problem, and that got carried through the other eight,” according
to the Chief Financial Officer, who also went on to say that he did
not think other banks had made similar errors. “We made such a
unique mistake here that I think it’s unlikely.”

It appears that the error was found when Provident introduced a new
financial model that was tested against the original, and that the
two models produced different results. They then went back and
looked at the original model to see which one was correct. We don’t
know that these were spreadsheet models, but it’s entirely
possible. And the lack of testing may have led to earned income
being overstated by $70 million over five years. Provident also
faces a class action suit from investors.

If I am right, and the erroneous model was a spreadsheet (and from
the fact that those who built it were referred as “analysts” rather
than “programmers” or “developers” some sort of user-developed
software seems likely), this is a classic example of a spreadsheet
being built as a one-off and then reused without adequate
controls. Later pools must have used a different spreadsheet, as
they were not subject to the same restatement.

The CFO has more confidence than I do in the ability of other banks
to avoid similar errors.

See http://cappigun.notlong.com for the press release from
Provident, and http://www.cincypost.com/2003/03/12/prov031203.html
and http://nitcrish.notlong.com for press coverage from the
Cincinnati Post and New York Times.

===============
2. Spreadsheets: why test?

You should test your spreadsheets because they may contain errors
(see item 1). People fail to test their spreadsheets because they
underestimate the benefits of doing so: mainly, they simply don’t
know how many spreadsheets contain errors. Think about it for a
moment. Do 10% of spreadsheets contain errors? Or 20% (for the
pessimists among you)? These rates are high, and should be enough
to make alarm bells ring, but the actual rates are probably far
higher.

A few years ago Professor Ray Panko, at the University of Hawaii,
pulled together the available evidence from field audits of
spreadsheets. Of the 54 spreadsheets that were audited, 49 had
errors. That’s an error rate of 91%.

Other studies show that the error rate per cell is between 0.38%
and 21%. These results are difficult to interpret: are they
percentages of all cells, cells containing formulae, or unique
formulae? (If a formula is copied down a row or column, it may
count as many formula cells, but is only one unique formula). If we
assume a rate of 1% of unique formulae having errors, and look at
spreadsheets containing from 150 to 350 unique formulae (this is a
fairly typical size in my experience), we find that the probability
of an individual spreadsheet containing an error is between 78% and
97%.

To make matters worse, people tend to overestimate their own
capabilities. Panko describes an experiment in which people were
asked to say whether they thought spreadsheets that they had
developed contained errors. On the basis on their responses, about
18% of the spreadsheets would have been wrong; the true figure was
81%. The actuary who told me “As far as I am concerned, none of my
spreadsheets has ever had a bug in it” was probably deluding
himself.

There’s a great deal of misplaced confidence in the accuracy of
spreadsheets. Another actuary who recently said “Of course, in a 1%
world we can’t afford to test our spreadsheets properly” must have
missed a word out. He should have said that they couldn’t afford
*not* to test their spreadsheets.

Panko’s web page at http://panko.cba.hawaii.edu/ssr/ has loads of
interesting information about spreadsheets, including the error
rates described above. There is further discussion at
http://www.louisepryor.com/showTopic.do?code=errorRates.

===============
3. FSA update

Well, we’re certainly living in interesting times and they are
every bit as interesting in the financial world as elsewhere. The
FSA must be hoping for a bit of boredom, just like the rest of us.

On 26th February Howard Davies gave a speech on “Managing Financial
Crises”. In what might seem a surprising view, he took the line
that we are not in one at the moment. However, his definition of a
crisis is quite specific, and, luckily, does not apply to the
current situation. The speech is at
http://www.fsa.gov.uk/pubs/speeches/sp115.html.

As the markets remain turbulent, but mainly in a downward
direction, we’ve had more details on the flexibility provided by
waivers of the rules for with profits life insurance, in a letter
to CEOs of life companies
(http://www.fsa.gov.uk/pubs/other/ceo_letter_wp.pdf). The letter
contains some general guidance, which was issued without the normal
consultation period because there was a worry that any delay would
not be in the interests of consumers. As every financial
commentator in the land has explained, often more than once, the
problem is that adhering to the letter of the solvency requirements
may force life companies to sell equities into a falling market,
thus both reinforcing the downward direction of the market and,
possibly, going against the most appropriate investment strategy
for the life office. Is this another instance of targets distorting
the quality they are trying to measure?

The feedback on CP142, Operational risk systems and controls is
just out. There are no significant changes as a result of the
feedback.

New consultation and discussion papers out this month:
—————————————————–

CP172 Electronic money: Perimeter guidance
CP173 Amendments to the Interim Prudential sourcebook for
Investment Businesses chapter 5 rules on consolidated
supervision
CP174 Prudential and other requirements for mortgage firms and
insurance intermediaries
CP175 Miscellaneous amendments to the Handbook (No. 7)

DP21 Implementation of the Distance Marketing Directive

Feedback published this month:
—————————–

CP142 Operational risk systems and controls

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
4. Software versions

I only narrowly averted disaster last week. I was giving a talk,
and had been told that “Powerpoint is standard, from diskette.” So
that was OK. But wait! What version of PowerPoint? It turned out to
be 97, and I had prepared my talk in 2002. Most of the animations
didn’t work, to such an extent that some vital information simply
didn’t appear. Luckily, I discovered this in the comfort of my own
home, using a PowerPoint97 viewer, instead of in front of an eager
audience.

This is actually a big problem with Microsoft Office products. One
of the reasons that they are so widely used is that they are widely
used, and seen as the standard. Unfortunately, although they are
backwards compatible they are not forwards compatible (not
surprising, really). When you buy a new copy you have to buy the
latest version (if you are an individual; you have more choice if
you are a volume licensee); and it’s quite likely that people you
are trying to be compatible with have an older version.

I don’t have any hard evidence, but it seems to me that Office 97
is very widely used, in spite of the fact that there are two more
recent releases (2000, and 2002 aka XP). This means that there is
no effective standard: people with recent versions may use features
that aren’t available in 97.

Maybe the feature bloat of which Microsoft is often accused has
even worse effects than we thought. Office 97 clearly has enough
features for many people, and the extra features in later versions
are worse than useless as they are positively harmful if you want
compatibility.

===============
5. Newsletter information