News update 2003-08: August 2003
A monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
Comments and feedback to email@example.com. Please tell me if
you don’t want to be quoted.
Subscribe by sending an email to firstname.lastname@example.org.
Unsubscribe by sending an email to email@example.com.
Newsletter archived at http://www.louisepryor.com/newsArchive.do.
In this issue:
1. Web site accessibility
2. Time is money
3. Viruses multiply
4. FSA update
6. Newsletter information
1. Web site accessibility
So you get these whizzy web site designers in, all dressed in
black, and they produce some very artistic story boards showing
possible designs. You choose one, they develop a prototype and give
you a demonstration. It looks great. Technically sophisticated.
Right up to the minute, design wise. It’s going to be a big
marketing advantage, right?
Well, not necessarily. When they demonstrated it to you, it worked
really quickly, but what would it be like downloading over a phone
line? It looked cool in Internet Explorer, but what about in other
You may think that only a few people use other browsers, or don’t
have Flash installed, or will complain if they can’t adjust the
size of the text, but those few people may hit your pocket hard.
First, a small proportion of a lot of people is still a lot of
people, and implicitly denying them access to your site is not
going to help your marketing effort. Second, some people use other
choice but out of necessity. They may have visual impairments, or
not be able to use a mouse, or be disabled in some other way.
It is a legal requirement to make sites accessible to the disabled,
and the Royal National Institute for the Blind (RNIB) is apparently
backing a number of people who are taking court action. Companies
that are sued run the risk of having to pay compensation, and will
also receive some bad publicity.
Meanwhile, a survey of 96 of 99 FTSE 100 companies (don’t ask)
showed that 21 of them failed basic accessibility tests. The three
not surveyed were so impenetrable that they could not be tested at
Blind sue over site failings: http://www.vnunet.com/News/1142213
2. Time is money and more
How much time do people in your organisation spend waiting for
spreadsheets to do their calculations? You might be surprised: it’s
not uncommon to see macros that take up to half an hour to
execute, or spreadsheets that take 10 seconds to recalculate. This
is clearly a productivity issue, but it has wider implications too.
If something takes a long time, you will do it less often. So if
you have a macro that is very slow, you are less likely to test it
thoroughly, and it is more likely to be wrong. In addition, you
aren’t going to explore the possibilities nearly as much as you
would if it took only a minute to run. For instance, you might not
spot some cases where the results are very sensitive to the inputs,
and place more trust in the calculated numbers than is warranted.
Slow recalculation can have even more pernicious effects. 10
seconds is too long to wait each time you make a change, so you
turn automatic recalculation off. You then make the changes you
want, and recalculate by hand. If you forget to recalculate, the
spreadsheet is in an inconsistent state and shows incorrect
results. Moreover, the automatic or manual recalculation setting in
Excel affects all spreadsheets, not only the one that was showing
when you changed the setting. So any other spreadsheets that you
use are likely to show inconsistent results too.
In most cases the use of some simple techniques can make all the
difference. I have speeded up macro execution from 15 minutes to 25
seconds, and recalculation time from 10 seconds to half a
second. In general, you want macros to take under a minute (with
some exceptions) and recalculation to take less than a second (with
If you’ve got some slow spreadsheets that you’d like speeded up, do
get in touch by replying to this email.
Further discussion of this issue can be found in my paper at
Other papers discussing various spreadsheet risks are at
3. Viruses and worms multiply
It just gets worse and worse. Both the Blaster worm and the Sobig.F
virus have been wreaking havoc over the last week or so. Then
there’s Nachi, which sort of fixes the Blaster problems but
introduces its own.
The following incidents have been reported:
– Defence contractor Lockheed Martin had less than 1 percent of its
systems infected, but still had disruptions.
– Railway and freight hauler CSX had to stop trains because of the
– Air Canada cancelled flights because its network couldn’t deal
with the amount of traffic generated by the Nachi worm.
– The Pentagon and US military had myriad infections of the Sobig.F
virus and the Nachi worm.
– Danish government ministries were forced to shut down their
machines after e-mails purporting to be from various government
ministers (including the grandmotherly agriculture minister)
promised “wicked screensavers” and “naughty movies” to
– The Norwegian government’s central e-mail server, labouring under
a backlog of half a million messages, was forced to shut.
– The entire information technology network of Swedish-Swiss
engineering group ABB was affected by a new variant of the
Some of the press coverage has implied that only home users were
affected. This just isn’t the case. The risks are real.
To me, one of the scary things about Sobig.F is that it relies on
users. Nothing happens if you don’t open the mail attachment.
Apparently the warnings about not opening unexpected attachments
just haven’t got through.
Another problem is that Sobig.F “spoofs” the from address of the
emails it sends out. This means that it pretends to come from
another address entirely, often one it has found in the address
book of the infected machine. Virus software on mail servers often
sends automatic emails to the senders of infected messages, warning
of the infection and suggesting they do something about it. When
the from address has been spoofed, these emails go to the wrong
place, thus adding to the confusion (as well as to the number of
emails caused by the virus).
And the sheer volume of emails is amazing. Email filtering
companies were reporting millions of infected messages a day
(literally: one reported 1 million and another 2.6 million, five
times the usual number). Another company reported an infection rate
of 1 in 17 messages, compared to 1 in 138 for the previous top
threat. America Online usually checks 11 million messages a day (it
only checks messages that have attachments). At the height of the
infection it checked 31 million messages in one day, 11.5
million of which were infected. By my reckoning, this implies that
8.5 messages were probably generated by virus detection
Further details at
4. FSA update
The FSA, HM Treasury and the Bank of England have published a guide
to the Financial Services Action Plan (FSAP). The FSAP consists of
a set of measures intended by 2005 to fill gaps and remove the
remaining barriers to a Single Market in financial services across
the EU as a whole. The guide is at
http://www.fsa.gov.uk/pubs/other/fsap_guide.pdf. From the
introduction: “The guide is intended to provide an introduction to
the FSAP for the UK financial sector, corporate sector and consumer
groups, where they are not yet sufficiently familiar with its
potential impact, rather than for experts.”
New consultation and discussion papers out this month:
CP191 Miscellaneous amendments to the Handbook (No. 9)
CP192 Further consultation on fees for mortgage firms and insurance
CP193 Professional Indemnity Insurance for personal investment
firms: proposed policy and rules
CP194 Amendments to the Training and Competence sourcebook:
including consultation on Competencies for Mortgage Advisers
DP22 Reducing money laundering risk – Know Your Customer and
anti-money laundering monitoring
Feedback published this month:
CP163 The UCITS Management Directive: Implementing the UCITS
Amending Directive (2001/107/EC) – Feedback on CP163 and made
CP168 Consolidated policy statement on our fee raising framework –
As at July 2003 (including feedback on CP168)
Current consultations, with dates by which responses should be
received by the FSA, are listed at
In July I attended the Fourth Annual Conference of the European
Spreadsheet Risks Interest Group, held in Dublin. It was a busy
couple of days, with many interesting papers. The participants were
a varied crowd, ranging from academics through consultants to
spreadsheet users. There were many good exchanges of views.
The keynote address was given by Dean Buckner of the FSA, who is
apparently quite worried about the way many firms are handling (or
not handling) the risks of end-user computing. A big problem is
that spreadsheets (and databases – a lot of use is made of Access)
are not taken seriously: “we’ll introduce a real system soon, so
it’s not worth worrying about the spreadsheets as they’ll just
disappear.” Well, they may or may not disappear in the future (my
guess is not), but they are here now and pose real risks. If you’d
like to know more, just get in touch by replying to this email.
If you are at all interested in spreadsheet risks you should sign
up for the EuSpRIG mailing list at
http://groups.yahoo.com/group/eusprig. It’s very low volume, and
you’ll be kept up to date on EuSpRIG and the next
conference. EuSpRIG’s site is at http://www.eusprig.org/, where you
can find a full report of the recent conference.
6. Newsletter information
This newsletter is issued approximately monthly by Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2003. All
rights reserved. You may distribute it in whole or in part as long
as this notice is included. To subscribe, email
firstname.lastname@example.org. To unsubscribe, email
email@example.com. All comments, feedback and other
queries to firstname.lastname@example.org. Archives at