Technology Risk Management in Capital Markets
It is quite troubling and perplexing to witness the technology mishaps that have occurred recently in the world of capital markets. For more than two decades, technology has shaped and continues to define the architecture of capital markets globally; hence, it is imperative at this stage in the evolution of the markets to come to certain realizations about the inherent risk that lies in this dependency on information technology for the industry overall.
In addition to major market events that have been blamed on technology such as the Flash Crash in May 2010, news organizations have reported many technology related snafus over the last couple of months:
- March 2012: BATS own IPO is scuttled by a computer glitch
- May 2012: NASDAQ OMX Facebook IPO Glitch
- August 2012: Knight Capital Debacle
- August 2012: Madrid-based Bolsas y Mercados Espanoles suffered a glitch that halted trading at the stock market for more than four hours.
- August 2012: The Tokyo Stock Exchange Group’s second major system error in seven months halted derivatives trading for about 95 minutes.
Some prominent industry executives have expressed their viewpoint. The New York Stock Exchange CEO Duncan Niederauer recently stated that “speed is not always better” and that the market is “broken”. However, no credible voice has emerged denouncing the use of technology and calling for market participants to stop relying on their systems for conducting business. The reason as we all know is quite simple: technology is the thread that weaves the connected architecture of the capital markets industry. Without technology there is no industry as we know it. In fact, there is no sign on the horizon to indicate that this technology race for speed is anywhere close to an end despite declining rates of return.
Financial services firms, like firms in other industries rely heavily on information technology to conduct/enable business or operate efficiently. There are industries, such as the auto industry, that maintained their basic profit generating principles despite its use of technology. Other industries were simply built on information technology such as telecommunications. The capital markets industry is one of the few industries that maintained its basic fundamental concepts (equity, debt, derivatives…) while using technology as an agent of drastic business transformation.
It is one thing to replace the trading floor of an exchange with an electronic market but it is completely something unique among industries when a new business model emerges based entirely on the speed with which information can be used to seek profits.
Technology now defines the industry and on many occasions the industry helped push technology to new realms. The pervasiveness of technology in the market effectively makes the market a large scale software system with each market player contributing a component of that system.
The merit or adequacy of this business model and the underlying market architecture is not the subject of this analysis. In what follows we will examine what every market player has realized: technology risk is now inherent in the current architecture of the markets.
Technology risks are prevalent. Some are associated with operational risk and are dealt with using risk mitigation measures. For example, disaster recovery plans address the risk associated with complete loss of technology that may occur due to natural and unnatural events such as a terrorist act or earthquakes. Other types of technology risks are quite difficult to mitigate such as software defects. Software quality assurance or software testing (functional, performance, regression and integration testing) is the only way software defects can be detected and rectified before software applications become production systems.
The most elusive type of risk is market integration systems risk (MISR).
What is market integration systems risk (MISR)?
MISR is the technology manifestation of systemic risk. It is the risk of market failure due to a technology mishaps occurring at one of the market participants. A glitch of this nature will propagate through the interconnected and tightly coupled system market architecture. Since the whole market is one system, the failure of one component will lead to the entire system failure.
One way we can define MISR is by drawing on principles from game theory, systems engineering and utility optimization. Very simply, the global capital markets industry is a big lightly designed system whose architecture emerged over time through innovation and light regulation. Each player utilizes the system in such a way to optimize (or maximize) its own utility (no matter how it is defined). As each player carries out changes to its system-wide engagement mechanism, the likelihood of system-wide glitches increases. There are many moving parts to a system and the effect of one part of the system on the other parts and the entire system is not very well understood. The more players there are in the market, the higher the risk of MISR since this technically means more moving parts.
What are the factors that are increasing the probability of system failure? Why are more of these glitches happening?
In addition to the growing number of players and complete reliance on technology to run the markets, there are indirect reasons as to why the likelihood of system failure is increasing:
- Industry players are in a frenzy to meet various internal and external obligations due to increased pressure on budgets and additional regulatory requirements. The rush to develop functionality has always resulted in quality issues.
- Budget pressures are occurring due to the “New Normal” phenomenon as described in the introduction to the July issue of this publication by the deputy secretary general of WFE, Mr. Clifford. As with any industry facing a (temporary) contraction, more automation will be sought to maintain productivity.
- Regulatory requirements emerging out of the 2008 crisis are quite demanding. Technology departments have been quite busy trying to interpret rules and implement necessary changes to be able to partake in the new “central” clearing and trading of vanilla type OTC products.
- There is also a high degree of adoption of third party software. However, financial technology solution providers are facing a shrinking market and severe competition coupled with an increasing demand from clients for new functionality. Software vendors servicing the market are not in an enviable economic situation overall.
- Cloud computing adoption is one more factor that will add to MISR. The technology is helping to cut cost and add flexibility to the infrastructure but will make problems more difficult to track and difficult to manage if (or when) things go wrong.
Proper software engineering practices when properly institutionalized will add a much needed layer of safety.
Software applications are engineered systems. There are software systems engineering fundamentals that always guide software design. Systems architecture is one of them. Systems architecture is like the DNA of software applications. The architecture determines the lifetime of an application as system requirements change and functionalities are added or removed. Systems are engineered to deliver specific capabilities and there is no system engineered economically so as to continue to be modified without limits. These limits are determined by the architecture of the system.
Complexity of software systems in capital markets has grown many folds over the last two decades so as to inject more speed into the markets but the software architecture of many systems whether in-house or procured is on the average 5 years old which is on the high side.
Despite this layered complexity, it is not news that the software quality assurance function in any software development organization does not receive the attention or the budget it deserves. It is difficult to find an organization which budgets 30% of development cost to testing per industry guidelines. In fact, on average only around half of the recommended 30% of the development budget is spent on testing.
The case of Knight Capital is one such example. Proper quality assurance processes would have prevented this incident from taking place. The fact that Knight is initiating a review of the company’s computer systems and technical infrastructure is evidence of the lack of adequate internal quality controls including the IT audit function. This is not unique to Knight Capital.
The combination of all the above factors is weighing on the market players and hence the market.
The Securities and Exchange Commission (SEC) said it will convene a roundtable on the stability of technology used in operating capital markets, on September 14. SEC’s staff has been instructed to devise a rule that will require exchanges and market centers to ensure the capacity and integrity of the systems they operate.
The roundtable, set out as “Technology and Trading: Promoting Stability in Today’s Markets” will bring in experts on “designing, operating, and controlling the systems that form the core of our market’s infrastructure.”
No software is free of defects and no SEC rule will make software free of defects. In this federated market architecture, the real responsibility lies with the market players themselves. More effort (and money) is needed to assure the quality of software especially when functional complexity has multiplied many folds. Proper software engineering practices when properly institutionalized will add a much needed layer of safety. However, the challenge in doing this is to be able to contemplate the various testing scenarios given the trading strategies implemented by each and every algorithm. Quality assurance staff members are not qualified to do that. It is the responsibility of the programmers coding the strategies to test the complex code they develop and to envision the boundary conditions that may arise when the markets move in various directions.
Furthermore, proper risk management practices dictate that a macro level system-wide integration testing of the web of connected systems of the capital markets industry is now an imperative. An example is where a system referee or umpire (possibly SEC like organization) would devise a set of tools that will continuously patrol the markets and stop the offenders. But, this is definitely a far-fetched measure to realize given the huge effort, coordination and commitment required from market players globally.
A more practical measure is to test each market’s robustness and survivability using specific failure scenarios. To be effective, these stress testing scenarios would have to take into consideration various algorithmic trading strategies commonly used by market players with access to this market. This collective testing should be coupled with a dynamic layer of reconnaissance that will maintain system integrity parameters within acceptable levels. It is evident that current rules introduced by the SEC for both market operators and market players are not effective mitigation measure against MISR.
Exchanges are where the tires hit the road. Recent events have proven the importance of exchanges as integral parts of the markets. MISR is a real risk to the integrity and robustness of these markets. The system overall cannot be designed to prevent players from making one or many “bad” trades but it should be guarded from the shock resulting from the systems of a single player going astray. This can only be achieved through the cooperation of the market players and the market operators and not through an extra set of regulations.
About Mayiz Habbal
Mayiz Habbal is founder and chief executive officer of Capital Markets Leaders Group LLC. Dr. Habbal is a thought leader in the securities and investments industry. Before starting his own research and consulting business focusing exclusively on capital markets, Mayiz led the Securities and Investments Celent Group at Oliver Wyman Financial Services global management consulting firm for more than five years where he advised industry participants on key strategic global initiatives. He previously held senior executive positions with UBS, Dresdner Bank, Bank of America and Oracle Siebel. He holds a PhD and SM in Operations Research from MIT.