Category: Newsletter

The newsletters I sent out roughly monthly from December 2002 to April 2007.

Newsletter Feb 2003

Post author By Louise Pryor
Post date 24 February 2003

News update 2003-02: February 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com). Comments and feedback to
news-admin@louisepryor.com. Unsubscribe by sending an email to
news-unsubscribe@louisepryor.com. Newsletter archived at
http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Business continuity 1: GAO report
2. Business continuity 2: FSA and tripartite web site
3. Worms and patches
4. FSA update
5. Business continuity 3: Testing
6. Newsletter information

===============
1. Business continuity 1: GAO report

Just the other week the GAO released a report entitled “Potential
Terrorist Attacks: Additional Actions Needed to Better Prepare
Critical Financial Market Participants”. The GAO is the United
States General Accounting Office, and is the investigative arm of
Congress.

The report is a very interesting read. It analyses the effects of
the World Trade Center attacks, and describes the steps that were
taken to resume normal operations in the financial markets
afterwards. It then presents the results of a review of the
business continuity plans of 15 organisations that undertake
trading or clearing. Although many lessons were learned from the
WTC attacks, some of them have not been taken to heart: in a number
of cases, backup sites are close to the sites they would replace,
and the problem of non-availability of key staff has not been
addressed.

Some of the specific points in the report are irrelevant to
organisations whose business is not in trading or clearing, but
many of the lessons are more general and are useful to everyone.

The GAO report is available at
http://www.gao.gov/daybook/030212.htm

===============
2. Business continuity 2: FSA and tripartite web site

Coincidentally, the same week also saw the second Annual Conference
for Business Continuity and Disaster Recovery in the Financial
Services Sector. One of the speakers was Michael Foot, of the
FSA. He emphasised the importance of business continuity
arrangements, both for the continuing operations of trading and
clearing and for individual firms. The press release describing
Michael Foot’s remarks is at
http://www.fsa.gov.uk/pubs/press/2003/021.html.

There are two sources of guidance from the FSA on business
continuity. CP142, Operational risk systems and controls, was
issued in July 2002, with comments due by 31 October 2002. The
response to the consultation is expected in a few weeks. CP142 is
at http://www.fsa.gov.uk/pubs/cp/142/.

The FSA, together with the Bank of England and HM Treasury, are
joint sponsors of the tripartite web site on on UK Financial Sector
Continuity planning, at
http://www.financialsectorcontinuity.gov.uk/home/. The site
includes an FSA report: A Review of Business Continuity Management
in Major Financial Groups Post 11 September 2001. It was published
in September 2002.

Some of the points in this report reflect general themes of the
FSA’s risk-based approach to regulation. It is always important to
remember that the risks that the FSA has in mind are the risks to
its objectives (RTOs). In this case, the objectives under threat
are those referring to market confidence and consumer
protection. The FSA is not worried by business failure as such,
unless its objectives are threatened. This means that their
guidance should not be seen as comprehensive.

Another theme that emerges strongly is the need for senior
management to take responsibility. We see this over and over again
in reports and guidance issued by the FSA, and it’s an issue that
should be taken seriously.

From my point of view it was interesting to see specific questions
in the review about whether and how critical bespoke applications/
spreadsheets/databases are identified and included in IT disaster
recovery plans. Given the number of mission-critical functions that
use spreadsheets and other user-developed systems, this is clearly
vital. It should also be considered as part of the regular back-up
strategy.

One of the most useful parts of the report is the BCM risk matrix
on pages 17 to 32. It summarises the critical issues and risk
factors, together with observed standard and good practice.

And, finally on this topic, the FSA’s report on the Financial Risk
Outlook for 2003 identifies the threat of a major terrorist attack
on London or another financial centre, and the need for firms to
have adequate business continuity arrangements in place, as a
priority risk. The report was issued in January 2003, and is at
http://www.fsa.gov.uk/pubs/plan/financial_risk_outlook_2003.pdf.

===============
3. Worms and patches

If you were trying to surf the web at any time during the last
weekend in January you may have found the process unbearably
slow. This was because of a computer worm (or virus; descriptions
vary) that attacked a Microsoft SQLServer vulnerability. The
vulnerability was not new, and Microsoft had already issued a patch
for it. Ironically, some of Microsoft’s own servers were affected
by the worm; they hadn’t installed the patch.

The issue of software patches is an important one. First, it’s
difficult to keep on top of all the patches that are
released. Second, it’s often a painful process installing
them. They may have poor documentation and confusing instructions,
and there are often complex rules about whether the patch is
applicable or not. Third, sometimes installing a patch can stop
other things working.

So saying “we released a patch; we’re not to blame” is not
enough. Better not to have the problem in the first place than to
patch it later.

By the way, this applies at the more lowly level of spreadsheets
and other user-developed software too. Keep the bugs out in the
first place; don’t rely on issuing revised versions and expecting
all the users to update. They won’t.

===============
4. FSA update

The FSA has announced that it intends to review all insurance
companies (with the exception of low impact firms) by the end of
March 2003. This is an acceleration of the timetable. In many cases
this will be a desk-based review; in other words, no-one from the
FSA will actually visit the firm under review, but they will sit at
their desks and ask for information. This is all part of the
general worry about insurance companies at the moment, because of
the “particular stress” they are under as a result of the current
market conditions.

The announcement refers to a new document, “The firm risk
assessment framework”, that was published only a week later. This
is essential reading for anyone who will be involved in a review by
the FSA. It describes how the review process works, with plenty of
helpful examples. This is the latest document in the “Building the
new Regulator series”, and builds on and clarifies the earlier
documents in the series. It is available at
http://www.fsa.gov.uk/pubs/policy/bnr_firm-framework.pdf. See also
http://www.louisepryor.com/showTopic.do?topic=30 for a brief
description of the ARROW risk assessment framework.

New consultation and discussion papers out this month:
—————————————————–

CP166 Reforming Polarisation: Removing the barriers to choice –
Including feedback on CP121
CP167 With-profits governance, the role of actuaries in life
insurers, and certification of insurance returns
CP168 Fees 2003/4
CP169 Professional Indemnity Insurance for personal investment
firms – consultation on rule changes; and discussion of
other policy options
CP170 Informing consumers: product disclosure at the point of
sale
CP171 Conflicts of Interest: Investment Research and Issues
of Securities

DP20 Issues for with-profits business arising from the Sandler
Review

Feedback published this month:
—————————–

CP138 Disclosure of status under the Financial Services and
Markets Act 2000 and use of the FSA logo
CP158 Mortgage endowment complaints: Changes to time limits for
making a complaint

DP14 Review of the Listing Regime

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Business continuity 3: Testing

Of course it’s not only in cases of huge natural disasters that
business continuity becomes an issue. Minor natural glitches play
their part too, and the recent snow in the South East provided some
real life testing for some people. The main problem, apparently
(there were no problems in Edinburgh, but then there was no snow
either), was that the roads and railways weren’t working. In any
large scale disaster this is likely to be a problem too (see the
GAO report referred to in item 1). The FSA report discussed in item
2 stresses the importance of testing business continuity plans.

One of my informants used the opportunity to check out the
contingency plan of working at home. He told me that the vital
facilities were: a high speed internet connection so he could read
his email, a speaker phone or headset for those phone meetings, and
a good hill with plenty of snow for the toboggan. Most financial
institutions would probably agree on the need for first two.

State Street has recently announced that it is locating its
European disaster recovery site here in Edinburgh, presumably
because of the lack of snow.

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email news-subscribe@louisepryor.com. To
unsubscribe, email news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.

Newsletter Old site

Newsletter Jan 2003

Post author By Louise Pryor
Post date 20 January 2003

News update 030120: January 2003
==================

In this issue:
1. Corporate risk management
2. Crime 1: fraud
3. Crime 2: logic bomb
4. FSA update
5. Outsourcing
6. Newsletter information

===============
1. Corporate risk management

“Managing Risk to Enhance Stakeholder Value” is a report out from
the International Federation of Accountants and the Chartered
Institute of Management Accountants. It consists of articles by and
interviews with senior corporate executives (and a few consultants)
on a variety of topics related to risk management. The interviews
(about half the total number of articles) are very readable, and
provide some interesting quotes:

“Corporate governance has made risk management very topical, but
you cannot go through the risk management process for those
reasons. You have to do it because it helps the business.”
Bill Connell, BOC.

“Businesses now get killed off because of reputation risk. They
don’t get killed off because the fixed assets are wrong.”
James Duckworth, Unilever.

From the operational risk point of view, the interest lies mainly
in an interview with Kevin Hayes of Lehman Brothers on managing
business interruption, and an article by Robin Mathieson on dealing
with information risk. Overall, the emphasis is very much on large
corporations, but unlike many publications it really doesn’t have a
banking bias.

There is also a very comprehensive list of references and further
reading.

Report available at:
http://www.cimaglobal.com/downloads/risk_management.pdf

===============
2. Crime 1: fraud

John Rusnak, the fraudster at Allied Irish Banks’ former US
subsidiary, Allfirst Financial, has been sentenced to seven and a
half years in prison and a $60,000 fine ($1,000 a month for five
years after his release). This sentence is longer than Nick
Leeson’s, and some commentators have said that this reflects a
tougher attitude to white collar crime. However, given that the two
rogue traders were sentenced under different jurisdictions (USA and
Singapore), it’s difficult to draw any conclusions on this one.

Moreover, it seems unlikely that the threat of longer prison
sentences is actually going to deter any potential
fraudsters. After all, how many of them carry out a rigorous risk
analysis in advance, weighing up the potential profits against the
probability and impact of getting caught?

As you may recall, the Ludwig report on the whole episode, released
back in March 2002, concluded that Rusnak planned the fraud
carefully and implemented it meticulously, but that Allfirst had
weak controls and poor risk management practices, in this area at
least. The net result was a loss of $691m to Allfirst. Some of this
may be genuine trading loss, but a large portion of it is surely a
loss due to operational risk.

The Ludwig report is available from:
http://www.aibgroup.com/servlet/ContentServer?pagename=AIB_InvestorRelations/AIB_Download/aib_ir_d_download&c=AIB_Download&cid=1015597173380

FT report on the sentencing:
http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1042490887860&p=1012571727239

(If your mailer has broken these ridiculously long URLs into
several pieces, you may need to paste them back together again in
your browser address bar.)

===============
3. Crime 2: logic bomb

On 17th December Roger Duronio, an ex-employee of UBS PaineWebber
in New Jersey, was charged with using a logic bomb to destroy files
on the financial services company’s network. The story goes that
Duronio, a systems administrator, was unhappy with his salary and
bonuses. He resigned from the company on February 22nd, and on
March 4th files on over 1,000 of PaineWebber’s computers were
destroyed. The total cost to the company was apparently over $3
million. Duronio is also accused of buying put options on the
parent company’s shares, expecting to make a profit when the news
of the computer problems became known, causing the share price to
fall. Apparently this bit didn’t work.

There are some interesting points about this story from an
operational risk point of view. First, as the Information Week
article referenced below points out, there comes a point where you
just have to trust people. Systems administrators are nearly always
beyond that point. It’s very rare for all the changes they make to
be checked by another person. There is a case to be made that this
shouldn’t be the case, at least for some of the things they do.

Second, the scale of the logic bomb (affecting 1,000 machines) was
probably due to the fact that Duronio was a systems administrator,
and had privileged access to servers and the network. However, a
spreadsheet user could easily wreak havoc on a smaller scale simply
by using VB code. I won’t go into the details for obvious reasons!
On the other hand, it is easy to put good control mechanisms in for
end user computing, such as spreadsheets or personal databases,
through standard development processes. It is good practice to have
all changes reviewed by somebody else anyway, in order to reduce
the chance of bugs.

Third, as I mentioned in the context of the Rusnak story in item 1,
the threat of a prison sentence probably isn’t going to deter this
sort of behaviour. Good risk management controls can make it a lot
less likely, though.

Information Week article:
http://www.informationweek.com/story/IWK20021220S0007

Press release:
http://www.cybercrime.gov/duronioIndict.htm

===============
4. FSA update

There’s a new Occasional Paper: Managing Risk: Practical lessons
from recent “failures” of EU insurers, available at
http://www.fsa.gov.uk/pubs/occpapers/op20.pdf. It’s a fascinating
read. Although first impressions are usually that the causes of
failure are underwriting or reserving risk, deeper study almost
always implicates management failures, and often operational
risk. Big problems are caused by complex interactions between
risks, including causal links between different types of risk and
unexpected correlations.

The feedback to CP140 has been published, available at
http://www.fsa.gov.uk/pubs/policy/ps140.pdf. There are no material
changes to the text in CP140, but some drafting changes were made
in response to specific comments. The guidance will take effect
from 1st February 2003. For insurers, the effect is to add a new
guidance note, P.3, to the interim sourcebook. For Friendly
Societies and Lloyd’s, the effect is to add requirements to have
regard to the provisions of P.3.

P.3 covers systems and controls, including:
– High level controls
– Risk management
– Risk assessment function
– Legal risk
– Internal audit
– Management information
– Outsourcing
– Group risk

New consultation and discussion papers out this month:
—————————————————–
CP161 Consultation on funding the Financial Ombudsman Service in
2003/2004 and exemptions from DISP
CP162 Financial Services Compensation Scheme Management Expenses
Levy Limit – Period: 1 April 2003 to 31 March 2004
CP163 The UCITS Management Directive – A Joint Consultation
CP164 Investment companies (including Investment trusts) –
Proposed changes to the Listing Rules and the Conduct of
Business Rules Changes to the Model Code
CP165 Miscellaneous amendments to the Handbook (No.6)

DP19 Options for regulating the sale of “simplified investment
products”

Feedback published this month:
—————————–
CP140 The Interim Prudential sourcebooks for Insurers and
Friendly Societies and the Lloyd’s sourcebook: Guidance
on Systems and controls
CP144 A new regulatory approach to insurance firms’ use of
financial engineering – proposed changes to the regulatory
returns for life insurers

DP11 Cross-sector risk transfers

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Outsourcing

You may be able to outsource a function, but you can’t outsource
the responsibility. I outsourced the supply of my Christmas
presents this year; I fulfilled my side of the bargain, by ordering
before the last date specified on the web site (well, on the last
date to be strictly accurate), and made use of my outsourcer’s
information systems to track delivery. Imagine my surprise when I
was told that although the books hadn’t been dispatched yet, the
expected delivery date was two days in the past. I know Amazon is
technically advanced, but time travel is something else.

The moral of the story: you need to be able to trust all aspects of
the outsourcer’s services, including their information systems.

(And, luckily for me, the books did arrive on Christmas Eve, and
all my family are still speaking to me).

===============
6. Newsletter information

Newsletter Old site

Newsletter Dec 2002

Post author By Louise Pryor
Post date 19 December 2002

News update 021219: December 2002
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com). Comments and feedback to
news-admin@louisepryor.com. Stop receiving this newsletter by sending
an e-mail to news-unsubscribe@louisepryor.com. Newsletter archived at
http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Welcome to this newsletter
2. FSA briefing: The future regulation of insurance
3. The true significance of bugs in spreadsheets
4. FSA update
5. Seasonal risks
6. Newsletter information

===============
1. Welcome to this newsletter

This is the first issue of a monthly newsletter on risk management
in financial services, operational risk and user-developed
software. It will contain brief articles, often with more detailed
reports available on the web site. Its coverage won’t be
exhaustive, but will reflect my own interests and expertise: mainly
risk management processes and frameworks rather than capital
adequacy, and the application of software engineering techniques to
spreadsheet development as part of managing operational risk. I’m
always interested in your comments and feedback: just e-mail
news-admin@louisepryor.com.

===============
2. FSA briefing: The future regulation of insurance

The FSA held a half-day briefing on “The future regulation of
insurance” on 4th December 2002. Nearly 200 people attended, from a
variety of organizations: insurance companies, banks, building
societies, solicitors, accountants and other consultants. There
were surprisingly few consulting actuaries present.

The emphasis throughout the briefing from the FSA speakers was on
risk management frameworks, and the importance of regulated firms
having good systems and controls. The risk management framework
should be comprehensive, integrated throughout the firm, and well
documented. Senior management are ultimately responsible regardless
of outsourcing or other arrangements. Good controls, together with
a compliance culture, should lead to less crystallization of risk
and hence less regulatory intervention. None of this was new, but
there is clearly some concern that the risk-based approach has not
been fully taken on board throughout the industry.

Both Richard Harvey of Aviva and Mary Francis of the ABI,
representing those who are regulated, expressed some concerns about
the burdens being placed on many insurance companies by the new way
of doing things. Would better systems and controls really lead to a
lighter touch from the supervisor? Is the emphasis on high impact
firms ignoring the risk to the FSA’s objectives posed by the
simultaneous failure or shortcomings of several smaller firms? It
is important that regulatory creep is minimized: the FSA shouldn’t
go too far towards protecting people from risk rather than
educating them to understand it and take responsibility for
themselves.

A fuller report on the briefing is available at
http://www.louisepryor.showTopic.do?code=fsa021204.
The presentations and transcripts are on the FSA web site at
http://www.fsa.gov.uk/industry/ftr_regl_ins-dec02.html.

===============
3. The true significance of bugs in spreadsheets

There are many reports of extremely high occurrence rates for bugs
in spreadsheets. From reading them, you might think that very few
spreadsheets are error-free.

However, many people who are aware of the likelihood of errors in
spreadsheets go to great lengths to find and remove them. I have
found few significant errors in the often large and complex
spreadsheets I have reviewed (mainly in the insurance industry).

I believe that the true significance of bugs lies not in their
existence, which can lead to spreadsheets producing erroneous
results, but in the enormous amount of time and effort that goes
into preventing them. Spreadsheets are usually built and maintained
by people who have little or no software engineering
expertise. These people often:

– Do not have good software development processes;

– Are not aware of the characteristics of good software and how
they apply to spreadsheets;

– Do not know good methods of testing and reviewing software;

– Do not know how to design software (especially spreadsheets) so
as to reduce the likelihood of bugs;

The use of simple software engineering techniques can help. Some of
these techniques are described, somewhat briefly, in notes on my
web site. A good starting point is:
http://www.louisepryor.com/showTopic.do?code=sseng.
I have written about this topic at greater length in a workshop
paper for GIRO 2002: Managing the operational risks of
user-developed software, available from
http://www.louisepryor.com/articles.jsp.

===============
4. FSA update

Howard Davies is to leave the FSA to become director of the London
School of Economics. As an ex-academic myself, though not at that
exalted level, I am not convinced that his life will be much
easier. General opinion is that the change at the top won’t lead to
any major changes in the way the FSA operates: risk-based
regulation is clearly here to stay. However, the view has been
voiced from several quarters that now might be a good time to split
the roles of chairman and chief executive. After all, people say,
principles of good governance should surely apply to the FSA, of
all organizations.

Two major fines have been announced so far this month, compared to
three in the first eleven months of the year. In both cases (Abbey
Life and RBS) a major factor was stated to be weaknesses in
internal controls. Will these fines be counted as operational
losses for the purposes of risk monitoring?

New consultation papers out this month:
CP158 Mortgage endowment complaints – Changes to time limits for
making a complaint
CP159 Appointed Representatives – extending the current regime
CP160 Insurance selling and administration – the FSA’s high-level
approach to regulation

Feedback published this month:
CP147 Implementation of the Fourth Motor Insurance Directive

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Seasonal risks

If you want to stay sane, don’t even think about doing an
operational risk assessment of the holiday season. On top of the
basic health and safety issues, such as carrying large and
extremely hot objects around the kitchen without the appropriate
equipment, what about your systems and controls on the admin side?
Who was left off the Christmas card list and will never forgive
you? Who has been given the same book two years in a row? (Believe
me, it has happened!)

Best wishes for a relaxed Christmas and New Year.

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2002. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, e-mail news-subscribe@louisepryor.com. To
unsubscribe, e-mail news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.