Transcript Halifax Group Treasury

USER COMPUTING IN FINANCIAL
REGULATION
Dean Buckner
Financial Services Authority
July 2003
What I do
• One of small group of internal
specialists (“Risk Review
Department”)
• Specialist in IT supervision
• Originally “large groups” in investment
banking, now all firms
End user computing (EUC)
• Definition
– Development of reasonably complex,
business critical applications
• Rapid growth
– Spreadsheets
– Databases (ACCESS, SQL)
Where found
• Everywhere
– Front Office: pricing and valuation
– Middle office - accounting databases,
queries, risk management
– Back office - confirmations, settlement
• Wholesale, retail, insurance, branch
banking, all over the place
The problem of EUC
• Operational error
– hedging
– valuation
– calculation of risk
• Financial crime
– AllFirst
– other incidents not made public
Token war story
• "the ACCESS database used by capital
markets for confirmations had a fault
in its original design. The original
table of counterparties had never been
updated”
– (From a visit last week)
So is EUC a bad thing?
• Definitely not!
• FSA is not, and never has been
opposed to the use of spreadsheet and
other user-developed applications for
business critical purposes
• Essential to business efficiency
– But need “appropriate controls”
The Real Problem
• Poorly managed solutions
• Failure of senior management to
understand user developed systems
– perception that user computing is “bad”
– belief in “strategic solution”
– users do it anyway
– the budget paradox
The Budget Paradox
• It is impossible to find a budget for any
form of IT development required by the
business
– this implies the firm cannot afford it
• Always, some salaried employee of the
firm finds the time, and non-IT budget
to develop solution
– this implies the firm can afford it!
Why user computing is better
• Cheap to develop (but disasters are
not cheap)
• Uses detailed knowledge of business
• Can be part of overall strategy
• Centralised databases are inflexible
– and perform badly
Driving licence analogy
• 1920’s - private transport for v. rich
• 1930’s - huge growth in personal transport
– 1m vehicles ...
– ... and huge accident rate!
• Now 20m vehicles - but lower absolute rate
– give people responsibility
– manage accordingly
– and more driving instructors!
Ideas
• Appropriate framework for user computing
– change of mindset (senior mgt, IT)
– user training (of the right sort)
– Highway code?
– Licence and accreditation?
– Audit standards
– Data standards
• The “M” problem
Change of mindset
• Senior management should have
appropriate strategy for
– “legacy” sysstem (separate subject)
– package implementation (separate subject)
– user computing (ACCEPTANCE THAT IT
EXISTS!)
• Regulators can have influence
User Training
• Books about spreadsheets focus on
minutiae and technicalities
• “Wizard” problem
• No focus on “ility”
– testability
– maintainabilty
– auditability
Highway Code
• Most problems I see are similar
– Use of “literals”
– code fragmentation
– user maintainability
– access control, segregation &c
• Most have a trivial solution
• Elementary training could eliminate 90% of
errors?
Accreditation
• One of our firms already links
business’s capital charge to
accreditation in EUC
• Incentive for business to train, apply
controls, document &c
• Overcomes “budget paradox”
– budget to regulatory capital work
Audit
• IT auditors focus on large information
systems
• Tend to regard spreadsheets as user
problems, not their concern
• Internal auditors review generic
process - but not tools that support
decision making in process.
Data standards
• In the old days
– systems were “closed”
– input/output tightly formatted
– IT effectively “owned” data
• Then they invented
– downloads, SQL queries, email attachments
• No concept of “data citizenship”
The “M” problem
• ACCESS is designed to produce fragmented
code:
– Queries are software
– Macros are software
– Code modules are software
– “Forms” are software
– “Formula builders” are software
• After spreadsheets, probably the most common
user-developed platform!
Questions & Comments