News update 2006-08: August 2006
===================
Contents:
1. Whose risk is it anyway?
2. Replacing spreadsheets to reduce risk
3. Preaching to the converted
4. It’s everywhere
5. Newsletter information
===============
1. Whose risk is it anyway?
There’s been a fair amount of press coverage recently about Dell laptop
batteries bursting into flames. There are even video clips on the web,
to convince us that it really is happening. Spontaneous ignition is
clearly undesirable behaviour as far as batteries are concerned, and
Dell now has a product recall in place. Apparently it’s the largest
computer product recall ever.
http://www.dellbatteryprogram.com/
http://www.gizmodo.com/gadgets/dell/dell-laptop-explodes-in-flames-182257.php
Like many manufacturers, Dell outsources the production of many
components, and it’s actually Sony that made the batteries in question.
Sony also supply batteries for a number of other makes of computer, but
so far only Apple have issued a recall. So, either the fault was
confined to batteries destined for Dell or Apple machines, or there are
a whole lot of other computers out there that might burst into flames.
In fact, there are going to be a whole lot of computers out there that
might burst into flames anyway, as it seems unlikely that all the owners
of machines that are affected will actually replace their batteries.
So, who’s bearing the risk? Or, possibly more importantly, who’s
suffering the consequences?
Dell, Apple and Sony are clearly suffering at least some consequences. A
product recall on this scale costs money, and there’s the damage to
reputation, too. It appears that much of the monetary cost will be borne
by Sony, while Dell and Apple will take most of the reputational hit.
However, it’s widely thought that by acting promptly, and acknowledging
that the problem exists, the reputational damage has been minimised.
It could be argued, though, that the recall is unnecessary. Nobody has
been killed, and it seems that there have been about 10 or 15 incidents,
out of nearly 2 million batteries. There are many everyday dangers
around daily activities that are much more likely. On this view, the
only rational reason for the product recall is to limit the reputational
risk.
http://catless.ncl.ac.uk/Risks/24.40.html#subj8.1
What this means is that Sony is paying the price of protecting Dell’s
and Apple’s reputations. This is an interesting twist on what is usually
thought to be the situation with outsourcing. The standard line goes
that it’s often the outsourcer who has to carry the can when something
goes wrong at the supplier’s end. In this case, it could be argued that
the supplier is carrying the can to protect the outsourcer.
===============
2. Replacing spreadsheets to reduce risk
“Australian Pharmaceutical Industries revealed yesterday that it had
lost $17 million – and a managing director – but was unable or unwilling
to discuss the details behind either.” That’s the start of a report in
The Australian, which explains that API found unreconcilable
discrepancies between their three computer systems. They’ve apparently
been integrating the three systems over the last three years.
http://neafilah.notlong.com
The same issue of The Australian contained a feature article on how API
successfully moved from spreadsheets to a specialist tool. Previously,
there had been one system running sub-ledgers, another running the
general ledger system, and spreadsheets were used for budgeting and
performance reporting. “The spreadsheets were difficult and very
labour-intensive and slow to respond to change.” Doug Horwood, the
information management leader, went on to say, about using the new tool,
“We got the core budget information entered and were able to do
bottom-up and top-down adjustments, and the aggregation of all the
different cost centres literally turned into minutes rather than the six
to 12 hours it used to take. It was also fraught with the possibility of
manual error in the processing.”
http://jinrotea.notlong.com
So, the new system improved things as far as budgeting was concerned,
but was apparently not an improvement on the financial reporting front.
Horwood had some interesting things to say about their previous use of
spreadsheets. “In the past it was such a horrendous job to change all
the spreadsheets, that in effect we only ever adjusted the budget at a
very high level.” Spreadsheets are usually thought of as being extremely
flexible; one of the advantages touted for their use is that they are so
easy to change. This is certainly true of individual spreadsheets, but,
as Horwood realised, is rarely true of whole systems built out of
spreadsheets communicating with each other. The trouble is that it’s
very difficult to make nice abstract interfaces between spreadsheets,
that are independent of the details of the internal workings.
Spreadsheets were designed as personal productivity applications, and
although they are often used for enterprise level systems it’s very hard
to make them really work well in that context.
If you are using large systems built from spreadsheets, and rely on them
for mission-critical reporting or modelling, you should make sure that
you are aware of the risks. Have you thought about whether spreadsheets
are really the appropriate technology? Have you reviewed the spreadsheet
techniques that you are using, to make sure that you are managing the
risks effectively? And do you have good systems and controls around the
development and use of the spreadsheets? If you’d like to know how I
could help you answer these questions, and more like them, please get in
touch either by replying to this email, or contacting me through my web
site.
===============
3. Preaching to the converted
We are always being told how important it is to make sure that we
protect our computers from viruses, spyware, and other nasties. “You
must have anti-virus software!” “You must have a firewall!” It’s all
true, of course, but what happens when the software doesn’t work? Or
when it works wrong?
One of the most useful characteristics of security software is that you
should be able to trust it. In particular, you don’t want it to start
removing perfectly harmless, but very useful, programs that you have
installed on your computer. Many Church of England clergy had a nasty
shock earlier this month when Symantec’s Norton Antivirus software
wrongly identified an innocent file as a piece of spyware. The software
prompted them to remove the file, which was in fact a vital component of
Visual Liturgy, an application that is used to choose services, plan
Bible readings and create booklets.
http://news.zdnet.co.uk/internet/security/0,39020375,39280391,00.htm
http://vislit.com/articles/060804norton.html
The vendors of Visual Liturgy advised their users to ignore the Norton
warning, so that they could continue to use Visual Liturgy. Meanwhile,
they tried to contact Symantec to get the Norton program fixed. There is
some disagreement about how effective this was, but eventually
everything was sorted out.
Of course, it’s not unusual for there to be errors in computer programs,
and however careful Symantec is to test and review the Norton program
they can never be sure that a bug won’t slip through. Moreover, Symantec
can hardly be expected to test it against every single piece of
legitimate software available on the planet.
However, there are now many users who may not trust Norton warnings in
future, and who will be very wary of deleting files just because Norton
tells them to. So the overall effect is probably to decrease computer
security.
===============
4. It’s everywhere
Google is starting to reach the parts that only that other software
giant, Microsoft, can reach. As well as providing web-based searching
services, and desktop tools, they are now providing web-based tools,
including a spreadsheet and word processor. Soon, you’ll be able to use
Google to do just about everything you need to do on a computer. Or, at
least, that’s the impression Google would probably like to give. The
latest offering is a service providing corporate email, instant
messaging, calendar and web page creation. “Google Apps for Your Domain
lets you offer our communication and collaboration tools to your entire
organization – customizable with your branding, color scheme and content
through the administrative control panel, and with no hardware or
software to install or maintain.”
https://www.google.com/a/
It’ll be interesting to see whether this takes off. It’s only in beta at
the moment, is free, and isn’t available to everybody. Presumably they
won’t accept any large organisations until they’ve got the premium (ie
paying) service up and running.
One of the big issues, both with Google Apps and with other tools, is
that of privacy. Should organisations be wary of storing confidential
information on Google’s servers? Or using Google desktop tools on
machines that might have access to confidential information? This is
probably a judgement call that has to be made by each organisation for
itself. Google have privacy policies, obviously, but organisations will
have to decide whether they are adequate, whether they trust Google to
abide them, and whether they trust Google not to change them in the
future.
As with the Google spreadsheet, the real market might be not in web
based applications, but in applications for the intranet. If that
happens with Google Apps, Google really will be going head to head with
Microsoft on its home turf.
===============
5. Newsletter information
This is a monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2006. All
rights reserved. You may distribute it in whole or in part as long as
this notice is included.
To subscribe, email news-subscribe AT louisepryor.com. To unsubscribe,
email news-unsubscribe AT louisepryor.com. Send all comments, feedback
and other queries to news-admin AT louisepryor.com. (Change ” AT ” to
“@”). All comments will be considered as publishable unless you state
otherwise. The newsletter is archived at
http://www.louisepryor.com/newsArchive.do.