2012: Knight Capital & Change Control

KnightKnight Capital is an amazing example of a well known and established technology process being performed badly and having a significant impact.  The downfall of Knight Capital was not due to malicious hackers or angry insiders: it was the result of poor change control.

Obviously, any firm needs to worry about outside attackers or unhappy employees trying to steal money.  But when you are dealing with a critical business service - in the case of Knight Capital, an algorithmic trading application - its important to focus on the mundane as well. Change control and ensuring changes to applications, middleware of infrastructure are performed properly is a mundane but critical function. 


For other firms, poor change control might lead to a service outage.  There are many examples of service outages.  In the cased of Knight Capital, in about an hour, it led to a loss of $440 million dollars.  

In the case of Knight Capital, when a change to a trading algorithm was pushed to production, the change was made to 80% of the intended servers and not 100%.  With the change not being everywhere, the trading system ran amok and lost $440 million dollars.  The event is well documented.  

Knight Capital is an INCREDIBLE example of poor Technology Risk Management.  Technology Risk Management is focused on managing technology based on possible business impact.  While every firm relies on information technology today, the focus of controls and oversight should be on the technology or services with the most potential business impact on the company.  In this example, the change to this trading application should have been a high profile change due to the possible negative impact of $440 million dollars.  If the potential dollar losses were clearly identified and articulated, more attention would have been paid to the change to ensure no mistakes were made.

Technology Risk Management identifies high value and high risk technology services and prioritizes controls for those services.