A financial services company had been regularly overpaying its policyholders by small amounts for years. There were 9,500 customers with this policy and they had each been receiving overpayments of between £5 and £30 (an average of £20) per year for an average of 8 years. Recovery of the money was rejected as an option due to the potential legal costs, and the potential adverse publicity. Total direct losses were £1.52m and systems correction costs were approx. £550,000. Also, the event had to be reported to the regulator.
A financial services company issued laptops to all its sales staff in order to reduce costs and improve compliance. This allowed sales staff to work from home thus saving on office costs, and software on the laptops encouraged sales staff to enter new business in a standardised and compliant fashion. Due to several high profile events in the press involving lost customer data, management issued an edict that all company laptops were to be encrypted within one month – many were known to contain significant amounts of sensitive client data.
A policyholder who was legitimately paid over three hundred thousand pounds was paid twice in error. Although this was noticed almost immediately, the policyholder refused to pay the money back and moved abroad. The error was noticed by an experienced staff member. An investigation was carried out and several hundred historical cases of overpayment were uncovered, which, although each quite small, amounted to a further £2.1m.
A denial of service attack was mounted on a financial services company which resulted in the company’s website and email systems being inoperative for three days. The company invoked its business continuity plan which involved using the resources of a third party continuity supplier. Although basic operations could be carried out from the continuity site the usual standards of service, already strained, fell short and affected the company’s reputation. Significant service backlogs started to build up and service targets were not met on a large scale. Although regular business continuity exercises had been carried out, these were largely desk based and not sufficiently rigorous. As a result of these exercises, formal assurance had been communicated to the board with a ‘green’ risk rating.
Although spreadsheets were allowed as a development tool under an investment company’s governance protocols, pressure to bring innovative investment products to market fast had resulted in a rogue product being launched built on spreadsheets of which the company’s compliance department had not been made aware. This resulted in the mandatory compliance safeguards being overlooked. The product had been produced by a small group of people new to the organisation who were not aware that strict procedures had to be followed before a product could be launched. The incentives for this group, had the product been successful were immense.
To find out more about Luxon Risk Systems and the various ways in which we can help you please get in touch.