Tuesday, June 24, 2008

Better risk management "is a cultural thing"

With the theme of "Complexity, Compliance & Cost," SunGard Europa, the annual customer conference of financial software provider, SunGard, conducted a rather rigorous post-mortem of what had gone wrong in the lead up to the subprime crisis.

The guest speaker at SunGard Europa, which was held in Prague, was former Czech president Vaclav Havel, who spoke about the complexities of spearheading the "Velvet Revolution" in 1989, which eventually brought multi-party democracy to the country.

While the complexities Havel encountered seem far removed from those that investment banks now find themselves in as new and more complex instruments test risk models, one thing both events share is the need for clear and transparent information as to what is going on.

In the case of the recent sub-prime crisis, however, that information seems to have been compromised by an overemphasis on profits and growth.

Eager to deflect the blame from the automated risk management systems themselves, Value at Risk(VAR) as a measure of risk exposure and ratings agencies' modeling techniques, received a lot of flak from risk specialists for the sub-prime meltdown.

Commenting on the ratings agencies' models for structured investments, one leading chief credit officer said that, "you begin to wonder what they smoked". "How good is the work that ratings agencies do?" he asked.

With so much focus on growth and profitability, it appears risk management discipline within banks went out the window. "The risk function may have measured these risks, but at CEO level, you have to question whether these risks were accepted," said the credit officer.

The banks were also criticised for their overemphasis on VaR, which speakers concluded did not seem to tell us much, particularly when it comes to more complex instruments, such as derivatives.

Risk specialists at the conference stressed the need for more regular stress testing of risk models. "You can re-run the stock market crash of 1997," said a SunGard spokesman, "but the next catastrophe is not the same as the previous one. Firms need to look at their investment portfolios and say what is the worst that could happen, and take a view as to whether that is reasonable or not."

While a number of firms have broken down traditional silos between market and credit risk, the SunGard spokesman said that credit risk departments tended to say 'no' more often to the business than market risk. "Market risk says no less often to a trade. It is a cultural thing," which may have something to do with the fact that trading, historically, has been one of the most profitable parts of a banks' business.

Complex risk modeling techniques aside, it seems that managing risk sometimes can be as simple as just saying 'no'.

Thursday, June 12, 2008

Key Themes at SIFMA 2008

One could be forgiven for thinking that guest blogger Richard Muirhead of Tideway Systems is in Las Vegas sampling the technological delights and the latest must-have gadgets that are going to wow future generations of teenagers. Instead, he is at the SIFMA Technology Management Conference in New York (the final day no less) where it appears the future of trading resembles a PlayStation video game, and the gamers, Facebookers and tech-savvy teenagers of today are likely to be the future traders of tomorrow. Should we be worried?

Day three at the conference, and several key themes have emerged – this year’s most urgent issues for financial services' IT can be grouped under the following umbrellas:

Extreme Agility
If we now look at the rising expectations of the Facebook and Grand Theft Auto generation - and the fact that in a few short years they will be running the derivatives desk, and from there the bank - this pace of progress simply will not do!

They understand the rate of new features that their favourite websites deliver and have seen the demonstrations of the new handbag rental websites launched on the Amagoogle compute cloud with one dainty tap on the haptic keyboard on their iCommunicator.

Not So Much Efficiency as Survival!

Another thing we heard was there is a more black and white issue that demands attention and a new approach.

First data centres ran out of space, then they ran out of cooling, and now they are running out of power. For each $1 of spend on hardware and software, a further 50 cents is spent to power/cool them. For the 16 million servers across 7000 data centres in the US, that amounts to 350 billion KWhrs - or around 2% of all the electricity in the US.

In California, the sixth largest economy on the planet were it to be a stand alone country, they were recently 345 MW short of a rolling blackout. The average power consumption of new build data centres is 1000 MW so they were four data centres away from lights out.

Virtualisation allows a shift from coping with client estimated demands and the documented but inaccurate or irrelevant power consumption (and thermal output figures for the many infrastructure components required for their operation) - to an intelligent forecast of the non-functional requirements that a given application will place on a virtualised slice of the environment.

The difference could be between the 6000W max power draw documented for safety reasons where actual draw is around 2500W....so that is how cooling should be engineered. All of these allow for dramatic increases in energy, space and hardware efficiency - and virtualisation also means lower certification overhead for different hardware types to boot.

Data Centres Are For Life, Not Just For Christmas

These creatures stick around, sometimes grow into monsters and take a lot of care. Many large organisations have tens or hundreds of data centres....and many would like to consolidate them to single digits. It’s just not that easy. You can't just fire all the teams and you need some carefully engineered data centre redundancy for availability and indeed compliance. But you also need low-latency for trading apps; SaaS apps; or proximate data centres to support large file transfers around development environments, since the world is not yet fully wired with OC192’s.

The imperative for tomorrow’s data centre is to waste no software licenses; drive utilisation of the server estate from 10% up to 60%; keep within space and power constraints; all while ensuring you can quickly put apps into production for a given workforce up through automation.

Whatever the people are saying about the new build data centres, within a decade the contents will be obsolete. But once we know which data centres need to be kept and where the economics on a typical data centre build are, they can be improved by 150m on 350m by making that shift from 10% to 60%.

Complexity Beyond A Single Man’s Ken
Concatenation of behaviours that distributed applications and now virtualisation depends upon can lead to enormous systemic unpredictability. Soon we will be going from seven physical networks per server to one network with virtualised network I/O, where these then become software configurable.

Everything will be virtualised: NAS: load balancer ; LAN; SAN. So then everything can be software provisioned. Ports and servers are dead. As VMs allow application workloads to migrate freely around the estate and the configuration of the application infrastructure shifts into software at all layers, then the policies for network/storage configuration, Q0S and encryption need to match the application and also move with the application.

So the initiatives break down into Consolidate; Virtualise; Automate. But the biggest problem in all of this will be the silos that people currently work in. Shifting people from bragging about their deep abilities with a particular technology, product or vendor or the vast number of ports and servers under their management to the high levels of data center utilisation; extreme application availability and high velocity of application improvement, and all so that we can beat our highest score on Grand Theft Auto or make a (bigger) bonus this year.

Wednesday, June 11, 2008

Grand Theft Auto and Zero Tolerance

The fun and games continue for guest blogger Richard Muirhead of Tideway Systems on day two of the SIFMA Technology Management Conference in New York, where he gets to grips with the latest data centre switching system from Cisco, which is finding use not only in banks.

SIFMA, day two. What have I learned? The Grand Theft Auto network incorporates the Cisco Nexus 7000. Operational features for preventing human error, including blinking port lights to guide cable swaps, are key.

What does this have to do with SIFMA? We all know how incredibly intense the world of banking has become. Partly due to mounting competition, partly due to existing or planned regulatory compliance as well as cost constraints, a big spadeful to do with mounting product complexity and market diversity and some (I hope at least a little) due to a contrite sense of obligation to the rest of the world to do a “better job” in the wake of the credit crisis. I hope.

So this bit of the Cisco briefing this morning was not news. Neither is the blissful state that application development and operations teams in financial services have been operating within. What do I mean by that? The business wants to deploy an app - well that will be 90 days for an existing app or five or six months for a new one.

And as Doug Gourlay, who runs marketing for Cisco’s Data Center Solutions practice noted, the 'killer' issue is how do you orchestrate multi-admin collaboration across server deployment, app server configuration, database tuning, storage provisioning, security auditing, HVAC installation, cabling and the rest of the gubbins that goes into making an application happen?

Boiled Sweets, Hand-Rolled Cigars and John McCain

Guest blogger Richard Muirhead, CEO and founder of Tideway Systems reports from the SIFMA Technology Management Conference in New York where signs of a looming US recession appear to be masked by fancy cigars, the latest hand-held and software gimmicks and presidential hopefuls courting Wall Street bankers.

Apparently Wall Street technology budgets are in rude health - that is, if the array of attention-grabbing gimmicks at SIFMA today are anything to go by. Nintendo Wiis; iPod Touches; young ladies in Pink Fairy costumes; and our very own Dave Kirby will be thrilled to hear that one messaging vendor featured a dragon boat’s worth of booth attendants resplendent in tie-dye, trippy t-shirts. They stood out, but they were still not a patch on Dave’s tie-dye jumpsuit.

So such great lengths become necessary when all four floors of the exhibition are packed with vendors touting their wares and you are one of innumerable messaging vendors who appear to be one millisecond faster than one another. At that point perhaps it becomes more the battle of the brands than the technologies. Think of tennis for example; could you prove your game is better with a Head tennis racket than a Dunlop, or does it just matter which racket Federer uses?

Virtualisation was sprinkled around liberally also, from the likes of Sun, IBM, Novell and others. As long as it can resist being overshadowed or at least out-shouted by the crescendo of interest in cloud computing, which I think it shall, then I believe server virtualisation’s finest year is yet to come.

The theme of relentless demand for better infrastructures was a recurring one. Data centres are constrained by space, cooling and perhaps latency, which will have a bigger impact on the surge in new builds. Tracking friends via GPS on Helios; video calling on the new consumer friendly iPhone; computationally intensive derivatives portfolio calculations, could create the biggest strain. Have CFO’s accepted yet that the current acceleration in investment is not a blip, but the beginning of a trend?

Other noticeable themes were complex event processing and 'low-latency’; and I am not just referring to the adept networking of the regulars that make up the PR cognoscenti in the 'SIFMA set'.

So, there I was propping up the bar meeting various journalistic characters that were plucked from an Evelyn Waugh novel. That is until the bar opened and I was told that sitting there for 15 minutes without consuming alcohol was not doing my bit to support the US economy and I should move on.

But I was impressed by the number of people milling round the bar, taking it as clear evidence of frantic education and deal-making - or perhaps simply marketing budgets still bulging from the exuberant planning assumptions of 2008. Until, that is, out of the corner of my eye I caught sight of a neatly turned out, silver haired gentleman, sweeping from a bank of brass-clad lifts and softly holding court to his entourage.

The presumptive candidate and some might say now in the face of Barrack Obama’s rising tide of popularity, the presumptuous President: John McCain. What was striking was the relatively small number and indeed small stature of his group. That was until 25% of the bar revelers promptly switched off their secret-service earpieces and vanished into sweltering Sixth Avenue.

Today is to culminate in the parties. The largest, hosted by SunGard, great sushi, lashings of sake, but be careful not to drop your guard. The most exclusive, hosted by the unlikely bed fellows of Intel and Sun and featuring every successful executive’s favourite indulgence: hand rolled cigars. All of this nestling under a party theme of trade-processing power undiminished by prudent and conscientious data centre efficiency. A domani.

Friday, June 06, 2008

Sniffing out SIFMA

While other more fortunate journos will be winging their way to New York in a day or two for the annual SIFMA Technology Management Conference, I have been excluded from such a coterie

However, FinancialTech Insider will be covering the buzz on the exhibition floor remotely with the help of Richard Muirhead, CEO of Tideway Systems, who will be filing his personal insights on the conference and exhibition on a daily basis.

Tideway Systems helps companies gain greater insight into their IT infrastructure and application dependencies. Richard is the brother of Charlie Muirhead who created software company Orchestream at the height of the dot.com boom. In five years Orchestream went from angel funding of £20,000 to a dual listing on Nasdaq and the London Stock Exchange, and a market cap of more than £1 billion. It was later sold to Metasolv in 2002 and then Oracle in 2006.

Tuesday, June 03, 2008

Rogue trading - not an isolated incident

With rogue trading, data leakage and malicious attacks adding to banks' litany of reputational woes, it is no surprise to learn that banks are taking a peek 'under the bonnet' to see how well their risk management and detection systems are actually performing in today's more heightened regulatory environment.

When the SocGen rogue trading incident blew up earlier this year, other banks may have breathed a collective sigh of relief that it wasn't them receiving the unwelcome publicity, but at the same time they probably secretly acknowledged that rogue trading was not isolated to a single institution.

In fact it is probably fair to say that the bonus culture within most investment banks means they are unlikely to design and implement risk management systems that wholly curtail the creative urges of their traders.

Having said that,it is interesting to hear that an increasing number of firms (85%) plan on modifying internal controls in light of recent rogue trading incidents and that 60% have created special task forces in response to high-profile rogue trading incidents, according to Actimize's Rogue Trading Peer Review.

In order to keep the regulators at bay, banks need to be seen to be doing something to address what is at best an endemic problem. According to Actimize's review findings, more than 75% of respondents anticipate another large rogue trading fraud loss, worth more than $100 million to be uncovered at a large financial institution within the next 12 months.

An additional 50% indicated that rogue trading activities ranging from thousands to millions of dollars go unreported every year at their firms. One has to ask why these incidents are going unreported? Is it because risk management systems are not detecting them? Or is it a culture of silence fuelled by the bonus culture within investment firms that is preventing these incidents from being reported?

According to Actimize's review, 24% of respondents said they had experienced a case of trading fraud at their firms in the last 12 months, and 44% confirmed a case of employee fraud had occurred in the same period.

This confirms the increasing view that the greatest threat financial firms face is not external but internal, be it either unintentional (accidental data leakage from laptops, P2P technologies, USB sticks) or malicious (disgruntled employees, rogue traders).

When it comes to securing trading systems, Frédéric Ponzo, managing director of NET2S consultancy, says historically it has been a case of trying to make conventional security technologies (firewalls, anti-virus, anti-spyware, anti-keyloggers etc) work in a trading environment.

One of the biggest problems, he says is providing a secure infrastructure around "black box" trading terminals, some of which have email systems that do not necessarily fall within the usual security guidelines and policies of a company. These email systems remain vulnerable to attack or data leakage.

French IT security firm, SkyRecon Systems believes it has the answer in the form of its TradeShield solution, which aims to replace point-to-point security solutions in the trading environment with a "single agent, single management console" for managing system and user risk.

Designed specifically for the trading environment, TradeShield provides integrated protection including device control, data encryption, intrusion detection, firewall, network access control and centralised security policy enforcement.

Instead of having to enforce security policies and procedures for normal desktop computer use and trading applications, SkyRecon says that when a trading application is launched, for example, the computer cannot be used for anything else (for example, sending emails, personal instant messaging, peer-to-peer downloads).

The challenge for any solution in this space has to be providing the right level of control while enabling traders to have access to the tools they need (files, emails, IM) in order to trade effectively. Instead of completely "locking down" applications, SkyRecon says TradeShield allows applications to run but with the appropriate level of protection.