Newsletter Old site

Newsletter May 2006

News update 2006-05: May 2006

1. Software in ICAs
2. Spreadsheet compliance
3. Crying wolf
4. Accountability
5. Newsletter information

1. Software in ICAs

Over the last few years there have been some big changes in how
insurance companies are run, not the least of which has been the
introduction of ICAs, or Individual Capital Assessments. Insurance
companies now have to calculate the risk-based capital they believe
they need; the result of the calculation is used by the FSA in the
determination of the company’s ICG, or Individual Capital Guidance,
which is the level of capital that the FSA believes they need. The
ICA calculation is now a very important one to most insurance
companies, and is treated very seriously.

Each company approaches their ICA calculation in a slightly
different way, but the one thing that all the calculations have in
common is that they use end-user software: software such as
actuarial models and spreadsheets that is developed by the
end-user, rather than farmed out to the IT department. But what
software? And how is it being used?

That’s where you can help. If you are involved in producing an ICA
for an insurance company, whether it’s a life or non-life company,
whether you are running the whole ICA effort or are a cog (but
all cogs are vital) in a well-oiled machine, or anything in
between, please take part in my online survey. You’ll find it at, and it should
only take about 10 minutes of your time. All participants will
receive a full analysis of the results.

The survey looks at what software is being used, and, equally
importantly, the systems and controls that are in place around
it. The FSA has stressed that the systems and controls are
important: it’s no use simply producing a number and expecting it
to be believed, you’ve got to be able to give the reasons why other
people should have confidence in your results. Other people might
entertain doubts about their validity unless you can:

– demonstrate a full audit trail from data and parameters through
to the final results
– provide details of the tests and reviews that your models have
– demonstrate that the results come from the versions of your
models that have passed the tests and reviews
– provide clear documentation of your models, including the
assumptions on which they are based

I’ve written a brief paper on ‘How to believe your models’, which
is available at

The survey should provide some idea of the current levels of
systems and controls that are in place. If you take part, you’ll be
able to compare your standards with those of your peers
(anonymously, of course).

2. Spreadsheet compliance

I would not be at all surprised to learn that spreadsheets are used
in the preparation of every single ICA. In fact, I’d be interested
to hear of an ICA whose calculation didn’t involve a spreadsheet;
and if I was told of one, I’d want to trace all the calculations
through from start to finish before I believed it. There is no
doubt that spreadsheets are a vital tool in business today, and
that the most widely used spreadsheet is Microsoft’s Excel.

Over the years many people have pointed out that although Excel is
used for many mission critical applications, it is extremely
difficult to apply the same systems and controls to spreadsheets as
one would to more conventionally developed software. Of course,
Excel is by no means the only end-user software in this position.

However, it appears that the situation is going to change. There’s
a new version of Excel due out next year, and Microsoft have
recently issued a White Paper that discusses some of the new
features that it will contain. It is called “Spreadsheet Compliance
in the 2007 Microsoft Office System” and can be found at There’s a blog entry about
it at
The paper is definitely recommended reading. It’s good to see that
Microsoft are taking compliance issues seriously.

The paper, quite rightly, stresses the importance of having good
process in place. “One common misconception in organisations is
that spreadsheet compliance can be achieved through the use of
technology. While technology plays a role in any compliance
strategy, the most important component is process. Critical
spreadsheets and other enterprise IT resources require sound
development and usage practices that include controlled testing,
deployment, maintenance, and use.” Having said that, and after
describing some of the elements of a good process, it goes on to
describe new features in Excel and Office that will support a sound
process. To me, one of the most interesting is good support for
versioning. It will also be much easier to restrict the circulation
of spreadsheets, based on whether they have been approved for wider
use. There will be other new features within Excel that are
intended to make it easier to use consistent coding practices and
standards while developing and maintaining spreadsheets.

Obviously, it remains to be be seen how easy it will be to make use
of all this new functionality in practice. And however easy it is,
there will have to be a willingness to use it if working practices
are to change. Moreover, given that there is still a significant
proportion of people using Excel 97, we have to wonder what the
take-up rate of Excel 2007 will be.

Brandon Weber of Microsoft will be giving a talk on some of the
issues and features discussed in the White Paper at the EuSpRIG
conference in Cambridge at the beginning of July. His talk fits in
nicely with the theme of this year’s conference, which is ‘Managing
Spreadsheets: Improving corporate performance, compliance and
governance’. Other topics covered by papers that will be presented
at the conference include:

– Assessing current spreadsheet use
– Risk and other classification systems
– Proving effectiveness
– Available control techniques
– Planning which kind of techniques fit which risks
– Maintaining integrity and compliance
– Discovering and promoting training resources and good practice

Full details of the conference, including a registration form, are
at Early registration
is advised, as accommodation in Cambridge is scarce and expensive at
that time of year.

Although the forthcoming enhancements to Excel are very welcome,
they are not here yet, and people are using Excel now, at this very
moment. Waiting until next year in order to implement basic systems
and controls is not an option. Some organisations are using Excel
competently, but many more are either complacent or compromised.
Which are you? Take a 30 second quiz to find out, at

3. Crying wolf

Every so often there’s a furore about cash machines charging people
to withdraw cash; popular opinion is pretty firm that they should
be free. According to a recent survey a surprising number of users
don’t realise that they’ve been charged a fee even when they’ve
been warned on the screen and have had to confirm their acceptance
of the charge — up to 15% of users.

But is it surprising? Often people are multi-tasking as they take
cash out: carrying on a conversation, chatting on their mobile, or
thinking about what they are going to do with the money. Besides,
many of the machines that charge are in pubs or clubs, so their
users aren’t necessarily on tip-top intellectual form. We all know
how easy it is to click on things on the screen without really
taking them in; it happens all the time with warning screens in
desktop applications. Are you sure you want to open rather than
save? Are you sure you want to delete this? It’s all too easy to
use the default options without thinking, and find that you have
overwritten a vital file or lost important information.

There isn’t really any reliable way of making sure that the user is
doing what they intend to. Thought reading would be nice, but just
isn’t possible. We have WYSIWYG (What You See Is What You Get)
interfaces, but DWIM (Do What I Mean) interfaces are still a long
way off. Good interface design is hard.

Many of the big computer error stories that make it through to the
headlines are actually stories about the risks of poorly designed
interfaces: ones that lack data validation, reasonableness checks,
or just make it too easy to do the wrong thing. But even well
designed interfaces aren’t going to eliminate all mistakes; all
they can do is reduce the risks. Too many warnings can be as
dangerous as too few.

Just to make the obvious point, interface design is important in
end-use computing, too. If someone else is going to use your
spreadsheet, have you make it obvious what information they should
enter? Is the information checked for reasonableness? Do you make
it hard for other users to overwrite vital calculations, or miss
important parameters? If you have a sneaking suspicion that your
spreadsheets or other user-developed applications could use some
improvement, please contact me either by replying to this email or
through my web site at

4. Accountability

Australian bank ANZ suffered a major credit card processing failure
earlier this year: 200,000 credit card holders were accidentally
charged twice. They refunded A$45 million to those who were
affected. Although there was some publicity, it’s unlikely that
their reputation will suffer unduly: none of the card holders in
question were their own customers. The problem affected only
non-ANZ cardholders using ANZ eftpos terminals. Transactions for
ANZ cardholders were handled by a different database, which was
operating normally.

A normal customer, paying by credit card in a shop, isn’t aware
who supplies the eftpos machine they are using. From their point of
view, they are dealing with the shop, or with their own credit card
issuer. When problems arise, those are the people who are going to
get the blame. Indeed, one report mentioned that many cardholders
were blaming the retailers — who of course had nothing to do with

It is often thought that one of the drivers for good customer
service is the reaction of customers: bad service will drive them
away. How does that work in a case like this? I think the pressure
is still there, but at second hand, and somewhat attenuated. It is
the retailers who are ANZ’s customers; it’s the retailers who got
bad feedback from the cardholders; and it will be the retailers who
vote with their feet, by changing to another bank for their eftpos
facilities. Of course it’s not as easy as all that to change, as
eftpos is just one among many services that small businesses get
from their banks. If the affected cardholders had been ANZ
customers directly, it’s likely that some of them would have
switched to different cards, which is altogether easier than a
retailer switching to another eftpos provider.

So, to some extent, the moral of the story, if you are in the
credit card business, is to make sure that any problems don’t
affect your own cardholders. Indeed, in this situation it’s
possible that some cardholders will change card issuers as a
result of this, even though it wasn’t their issuer that made the
mistake. Who knows, some of them may even change to ANZ.

5. Newsletter information

This is a monthly newsletter on risk management in financial
services, operational risk and user-developed software from Louise
Pryor ( Copyright (c) Louise Pryor
2006. All rights reserved. You may distribute it in whole or in
part as long as this notice is included.

To subscribe, email news-subscribe AT To
unsubscribe, email news-unsubscribe AT Send all
comments, feedback and other queries to news-admin AT (Change ” AT ” to “@”). All comments will be
considered as publishable unless you state otherwise. The
newsletter is archived at