Categories
Newsletter Old site

Newsletter Jun 2003

News update 2003-06: June 2003
===================

A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com).

Comments and feedback to news-admin@louisepryor.com. Please tell me if
you don’t want to be quoted.

Subscribe by sending an email to news-subscribe@louisepryor.com.
Unsubscribe by sending an email to news-unsubscribe@louisepryor.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.

In this issue:
1. Pasting is dangerous (1)
2. Pasting is dangerous (2)
3. Do you have effective backups?
4. FSA update
5. Virus (and non virus) dangers
6. Newsletter information

===============
1. Pasting is dangerous (1)

Next time you paste some figures into a spreadsheet, be afraid. Be
very afraid. Someone at TransAlta Corporation managed to lose $24m
(Canadian) through a “clerical error” in pasting into an Excel
spreadsheet. The spreadsheet in question was used to submit bids
to the New York Independent System Operator (New York ISO) for May
2003 transmission congestion contracts (TCCs). It’s not really
important to understand what TCCs are: the crux of the problem is
that you put bids in at the end of one month that affect the prices
you pay during the next. Once submitted, the bids can’t be
retracted. Because of the spreadsheet error, TransAlta ended up
with more TCCs than they wanted, and at higher prices than they
intended. They didn’t spot the error until they were notified that
their bids had been successful.

There are at least two operational failures evident in this
story.

First, the whole thing was an accident waiting to happen if pasting
numbers into the spreadsheet was part of the normal process of
preparing these bids. Manual pasting is notoriously prone to
errors. If data has to be transferred between spreadsheets,
automatic links (used with appropriate precautions) or automated
copying and pasting via macros (ditto) are much safer. If the
pasting was unusual, then extra care should have been taken and
more thorough testing should have been performed.

Which brings us to the second failure. How come the error wasn’t
found before the bids were submitted? The answer has got to be
that there was inadequate review and testing. I suspect that there
weren’t formal tests, and that the reviewing was not systematic. It
isn’t difficult to devise effective reviewing procedures that
should pick up this sort of problem (we are told that the error was
caused by mismatching bids and prices, which implies that the error
was due to misaligning the pasted region).

A transcript of the investor conference at which the error was
explained can be found at http://dupleish.notlong.com. A brief
summary is at http://www.theregister.co.uk/content/67/31298.html.

===============
2. Pasting is dangerous (2)

Just the other day a similar error was discovered before it was too
late. The error came to light in a university examiners meeting:
the spreadsheet containing the marks for a small joint degree (3 or
4 students) was found to be wrong. The numbers just didn’t make
sense, as the average marks were inconsistent with the range of
individual marks. The numbers were recalculated by hand before the
end of the examiners meeting, and no harm was done, let alone $24m
worth.

The problem was caused (again) by copying and pasting: the formulae
were correct in the first row, but not in the later rows. History
doesn’t relate, but presumably it was a question of relative versus
absolute references.

The spreadsheet had actually been checked before the meeting by the
Chair of one of the departments involved. Unfortunately, the check
had been confined to the first row, which was indeed correct.

There are several morals to this story.
– be very afraid when copying and pasting
– don’t rely on checking the formulae, look at overall
reasonableness too
– if you’re checking a representative sample of formulae, remember
that the first row (or first column) probably isn’t
representative.

===============
3. Do you have effective backups?

A survey of 100 IT managers at Fortune 1000 companies indicates
that about 60% of corporate data is stored on desktop PCs or on
laptops; and 80% of PC users don’t have effective backups for data
or configuration settings.

Meanwhile, another survey showed that 80% of UK SMEs have no
business continuity plan in place at all.

If true, these figures show that there is an accident waiting to
happen, but it should be noted that both surveys were conducted by
interested parties. CoreProtect (http://www.coreprotect.com) sells
products to back up configuration settings, and Xbridge
(http://www.xbridge.com) is trying to encourage firms to take out
business continuity insurance. I have been unable to track down any
information about either survey on their respective web sites.

The surveys were reported by out-law.com (available at
http://empfissa.notlong.com) and Yahoo
(http://biz.yahoo.com/prnews/030528/law046_1.html).

I may not have confidence in the actual figures quoted in these
reports, but I certainly believe that backups from desktops and
(especially) laptops are not as thorough as could be desired. Users
have a nasty habit of storing files locally rather than on shared
server drives. Of course, with laptops they pretty much have to do
that.

Of course in some ways the use of laptops may help business
continuity; the laptop (and its unbacked up data) may be available
when the servers aren’t. But it’s probably more likely that
something bad will happen to the laptop (injury, theft, or
whatever) and the server will remain intact, but without the vital
data.

===============
4. FSA update

This has been a very light month for consultation and feedback.
However, there have been a couple of somewhat interesting
publications.

The Annual Report for 2002/3 was issued in the middle of June. It
comes in two flavours, the full version with 221 pages and a
summary with 48 pages. One of the most useful parts is the
organisational chart at the end (of the summary version, at least;
I haven’t downloaded the 8.59MB of the full version).
Both versions are available from
http://www.fsa.gov.uk/pubs/annual/ar02_03/index.html

On 12th June Michael Foot gave a speech to the City and Financial
Conference on Operational Risk on “Operational risk management –
Best practice strategies in light of final Basel proposals.” He
talked about why operational risk has a higher profile than in the
past, and why this will continue into the future. The FSA is taking
operational risk very seriously, as it affects three of the four
statutory objectives. It has recently undertaken a survey of
operational risk management practices, which will shortly be
published. A big issue is going to be implementation of Basel 2 as
the timetable is fixed (and the proposals aren’t final yet). Foot
didn’t talk about the EU proposals and their effect on non
banks. The speech is available at
http://www.fsa.gov.uk/pubs/speeches/sp135.html

New consultation and discussion papers out this month:
—————————————————–

No consultation or discussion papers have been issued since my last
newsletter

Feedback published this month:
—————————–

CP169 Professional Indemnity Insurance for personal investment
firms

Current consultations, with dates by which responses should be
received by the FSA, are listed at
http://www.fsa.gov.uk/pubs/2_consultations.html

===============
5. Virus (and non virus) dangers

A few weeks ago we heard a lot about the Bugbear.B virus. It was,
we were told, going to create havoc in financial institutions; it
contained a list of domain names, and if it found itself in one of
those domains it would turn on key-logging capabilities and then
email sensitive data, including passwords, to specified email
addresses.

So what happened? Not a lot, really. Many people were infected,
but they were mostly home users rather than financial
institutions. It turns out that most financial institutions have
pretty effective anti virus and firewall software in place
(sometimes too effective; it can be difficult to get genuine files
through some of them). On the other hand, home users often don’t
have up to date anti virus protection, and only rarely use
firewalls.

I usually feel a little smug at this point; even without anti virus
software I would be less vulnerable than many people. I don’t use
Outlook, and in particular I use a mail program (The Bat!) that
doesn’t use the Windows address book. This means that even if I am
infected, I won’t infect other people. Also, I use the option to
read my email as text rather than HTML. One of Bugbear.B’s nasty
little habits is to use a bug in some versions of Internet
Explorer, whose code is used to display HTML mail in Outlook and
some other mail readers. This bug means that some mail attachments
are automatically opened; if they contain viruses, all is lost.

Meanwhile, there was another spate of the hoax jdbgmgr virus. Every
so often I get sent email telling me that there is a new virus on
the loose, and that I can tell that I have been affected if there
is a file called jdbgmgr.exe. The message will go on to say that
anti virus software won’t detect the file, and that I should delete
it immediately, before sending email to everyone whose address I
have to warn them of the problem.

The file isn’t detected by the anti virus software because it’s not
a virus. It’s a perfectly harmless file that will be found on most
Windows systems. Luckily it’s not often used, so deleting it won’t
do any harm.

I find it amazing that people will jump in and delete a file from
their computer on the say so of a random acquaintance. The people I
have received this hoax from are not, on the whole, people I am in
regular contact with, and are typically not people I would consider
to be particularly knowledgeable about computers (the exception was
a Professor of Computer Science, but he may not often get his hands
dirty nowadays). It’s very lucky that more damage hasn’t been done;
people could completely wreck their systems if they deleted the
wrong files without knowing what they were doing.

It is very easy to tell if email like this is genuine: use
Google. Just search for “jdbgmgr” (in this case) and see what you
get.

Symantec’s information on Bugbear.B can be found at
http://bobwomia.notlong.com

Free firewalls for home use include Tiny Personal Firewall
(http://www.tinysoftware.com/home/tiny2?la=EN) and ZoneAlarm
(http://www.zonelabs.com/store/content/home.jsp).

The Bat! is at http://www.ritlabs.com/the_bat/. Other free, or
cheap, mail readers that don’t use the Windows address book are
Eudora (http://www.eudora.com) and Pegasus Mail
(http://www.pmail.com/index.cfm).

Symantec’s information on the hoax virus is at
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

===============
6. Newsletter information

This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. You
may distribute it in whole or in part as long as this notice is
included. To subscribe, email news-subscribe@louisepryor.com. To
unsubscribe, email news-unsubscribe@louisepryor.com. All comments,
feedback and other queries to news-admin@louisepryor.com. Archives
at http://www.louisepryor.com/newsArchive.do.