200 likes | 284 Vues
USER COMPUTING IN FINANCIAL REGULATION. Dean Buckner Financial Services Authority July 2003. What I do. One of small group of internal specialists (“Risk Review Department”) Specialist in IT supervision Originally “large groups” in investment banking, now all firms.
E N D
USER COMPUTING IN FINANCIAL REGULATION Dean Buckner Financial Services Authority July 2003
What I do • One of small group of internal specialists (“Risk Review Department”) • Specialist in IT supervision • Originally “large groups” in investment banking, now all firms
End user computing (EUC) • Definition • Development of reasonably complex, business critical applications • Rapid growth • Spreadsheets • Databases (ACCESS, SQL)
Where found • Everywhere • Front Office: pricing and valuation • Middle office - accounting databases, queries, risk management • Back office - confirmations, settlement • Wholesale, retail, insurance, branch banking, all over the place
The problem of EUC • Operational error • hedging • valuation • calculation of risk • Financial crime • AllFirst • other incidents not made public
Token war story • "the ACCESS database used by capital markets for confirmations had a fault in its original design. The original table of counterparties had never been updated” • (From a visit last week)
So is EUC a bad thing? • Definitely not! • FSA is not, and never has been opposed to the use of spreadsheet and other user-developed applications for business critical purposes • Essential to business efficiency • But need “appropriate controls”
The Real Problem • Poorly managed solutions • Failure of senior management to understand user developed systems • perception that user computing is “bad” • belief in “strategic solution” • users do it anyway • the budget paradox
The Budget Paradox • It is impossible to find a budget for any form of IT development required by the business • this implies the firm cannot afford it • Always, some salaried employee of the firm finds the time, and non-IT budget to develop solution • this implies the firm can afford it!
Why user computing is better • Cheap to develop (but disasters are not cheap) • Uses detailed knowledge of business • Can be part of overall strategy • Centralised databases are inflexible • and perform badly
Driving licence analogy • 1920’s - private transport for v. rich • 1930’s - huge growth in personal transport • 1m vehicles ... • ... and huge accident rate! • Now 20m vehicles - but lower absolute rate • give people responsibility • manage accordingly • and more driving instructors!
Ideas • Appropriate framework for user computing • change of mindset (senior mgt, IT) • user training (of the right sort) • Highway code? • Licence and accreditation? • Audit standards • Data standards • The “M” problem
Change of mindset • Senior management should have appropriate strategy for • “legacy” sysstem (separate subject) • package implementation (separate subject) • user computing (ACCEPTANCE THAT IT EXISTS!) • Regulators can have influence
User Training • Books about spreadsheets focus on minutiae and technicalities • “Wizard” problem • No focus on “ility” • testability • maintainabilty • auditability
Highway Code • Most problems I see are similar • Use of “literals” • code fragmentation • user maintainability • access control, segregation &c • Most have a trivial solution • Elementary training could eliminate 90% of errors?
Accreditation • One of our firms already links business’s capital charge to accreditation in EUC • Incentive for business to train, apply controls, document &c • Overcomes “budget paradox” • budget to regulatory capital work
Audit • IT auditors focus on large information systems • Tend to regard spreadsheets as user problems, not their concern • Internal auditors review generic process - but not tools that support decision making in process.
Data standards • In the old days • systems were “closed” • input/output tightly formatted • IT effectively “owned” data • Then they invented • downloads, SQL queries, email attachments • No concept of “data citizenship”
The “M” problem • ACCESS is designed to produce fragmented code: • Queries are software • Macros are software • Code modules are software • “Forms” are software • “Formula builders” are software • After spreadsheets, probably the most common user-developed platform!