Categories
Newsletter Old site

Newsletter Sep 2006

News update 2006-09: September 2006
===================

Contents:
1. Shock horror spreadsheet risk!
2. Are you aligned?
3. Whose risk is it again?
4. Newsletter information

===============
1. Shock horror spreadsheet risk!

There’s been some coverage recently about how spreadsheets can pose
a security risk. Apparently spreadsheets are widely used to analyse
corporate data, and the systems and controls around them are not as
highly developed as they are around more conventional enterprise
systems. Well, who would have thunk it?

http://naplogis.notlong.com

Security risk, check. Calculation risk, check. Data risk, check.
It’s entirely possible that a spreadsheet could use the wrong data
to perform the wrong calculation, the results of which would then
get into the wrong hands. Moreover, even if it doesn’t get into the
wrong hands, but just does everything else wrong, it’s most
unlikely to be clear to anybody just what exactly it _is_ doing.

At last week’s GIRO conference in Vienna, Caroline Butler-Yeats
gave us a very interesting talk on risk management issues for GI
actuaries. (GI means General Insurance in this context). She was
telling us what to do to make sure that we aren’t sued, or found
professionally negligent. She said that one of the main principles
was that we should be able to demonstrate to other people that what
we had done was reasonable, and that many of the spreadsheets she
sees in the course of her work do absolutely nothing to help her
clients (she’s a solicitor working in the area of PI). She used the
word “spaghetti” to describe some of the sets of spreadsheets she
has encountered.

It’s not going too far to say that some or even many of the
spreadsheets commonly used by actuaries are unprofessional. And all
the evidence shows that actuaries are using a lot of spreadsheets,
as two recent surveys demonstrate.

The first was conducted by the GIRO working party on software use
in general insurance, which I chaired. There were over 700
responses, from all over the world, and although there were no big
surprises there were some interesting results. Possibly the most
worrying issue to emerge was the lack of awareness of the
limitations of Excel; there are many actuarial users who don’t seem
to know that its statistical functions are unreliable, especially
in the tails of distributions.

http://www.louisepryor.com/papers/ActuariesExcel.pdf

The second survey was one that I conducted on the use of software
in ICAs. This was much smaller, with 45 respondents, and covered
both life and general insurance. It looked especially at the
systems and controls around software use. There was general
agreement that the systems and controls around spreadsheets are not
up to the standards of those around other user developed software,
such as actuarial models.

http://www.louisepryor.com/papers/SurveyResults.pdf

This is definitely worrying, especially in the light of the FSA’s
emphasis that the same standards should apply to spreadsheets as to
other software.

If you need help with your spreadsheets or other user developed
software, just let me know. I can advise you on systems and
controls, review current practice, and recommend development
processes for better risk management and productivity.

===============
2. Are you aligned?

We all know that there are security holes in computer software, and
that we rely on the manufacturers to issue patches. Most obviously,
Microsoft issues patches on a regular basis. Microsoft is
especially important in this context as so many people use their
products: if something goes wrong, the number of people likely to
be affected is enormous. Of course, this also explains why so many
viruses, worms, and other nasties are aimed at Microsoft products.
It’s widely known as the “mono-culture” problem.

So, there are risks attached to using software. And it’s in the
users’ interests for software manufacturers to issue patches. But
is it in the manufacturers’ interests?

In many ways, the answer is “No.” If you issue a patch, you are
publicly admitting that there is something wrong with your product,
so it doesn’t do your reputation much good. You have to develop,
test and distribute the patch. There’s a chance that the patch
won’t work, which will annoy the users even more. On the other
hand, users are going to get annoyed if you don’t issue a patch and
they fall victim to some sort of malware attack. If you’re a
software manufacturer, it’s a tricky line to tread. That’s why
Microsoft issues patches monthly, rather than as soon as a problem
is discovered. Even if there’s a serious security hole, it’s most
unusual for it to be patched outside the regular monthly cycle.

On the other hand, if there’s a problem in a piece of software that
could lead directly to the manufacturer losing money, they are
likely to react pretty quickly. Recently, a hacker developed a way
of getting round the copy protection in Microsoft’s digital rights
management (DRM) software. This isn’t going to bother most users in
the slightest (rather the opposite, if anything), but it certainly
bothered Microsoft. A patch was issued three days after the hack
was discovered. Another hack was developed to circumvent the patch,
of course: I’m not sure what the current state of play is.

http://www.schneier.com/blog/archives/2006/09/microsoft_and_f.html
http://news.zdnet.co.uk/software/windows/0,39020396,39282692,00.htm

The lesson is that if you rely on other people’s behaviour to keep
your risks under control, you’d better make sure that their
interests are aligned with yours. This applies at all levels, from
suppliers and outsourcers to other departments and colleagues.

===============
3. Whose risk is it again?

Last month I commented on the laptop battery saga, saying that it
seemed that Sony was picking up the bill for the risk to the
reputation of Dell and Macintosh. A reader commented that “Dell and
Apple are simply enforcing the contract that they have with Sony.
Clearly Sony did not provide goods of satisfactory standard, and
must pay any remedial costs with making good their failure.” Well,
yes, but… The but in this case is in the definition of failure.
Failure is defined in such a way as to protect the reputation of
the outsourcer, which of course is absolutely the right thing to
do, from the perspective of the outsourcer.

In the last few weeks the saga has continued. There’s a recall out
on some Toshiba batteries manufactured by Sony, although Toshiba
has said that it’s not related to the Dell and Apple recalls.
Although the batteries might fail, there is no risk of fire,
apparently. The numbers involved are pretty small: 340,000
batteries are affected, compared to nearly 6 million Dell and Apple
batteries.

http://www.reghardware.co.uk/2006/09/19/toshiba_notebook_battery_recall/
http://news.zdnet.co.uk/hardware/mobile/0,39020360,39283432,00.htm

Then just last week a recall was issued on half a million Sony
batteries used in ThinkPad laptops. One of them burst into fire at
LA airport, “causing enough smoke and sparking that a fire
extinguisher was used to put it out,” according to the US Consumer
Product Safety Commission. If this goes on it’ll only be a matter
of time before one ignites actually on an aeroplane, instead of
just on its way onto one. Sony is now starting a replacement
programme for laptop batteries that meet certain manufacturing
criteria, regardless of the laptops that they are used in.

http://cohyotea.notlong.com

Earlier in the month Matsushita (makers of Panasonic laptops)
recalled 6,000 batteries that might overheat if they are dropped
repeatedly. These batteries are not made by Sony.

http://news.zdnet.co.uk/hardware/0,39020351,39282681,00.htm

Over the past few years, we’ve also seen battery problems with
cameras and mobile phones. Some of these problems probably occur
because the limits of battery technology are being pushed.
Batteries have got much smaller and lighter over the last few
years, and last longer before needing to be recharged. (Of course,
much of the improvement is due to reduced power consumption by the
appliances that the batteries power.)

However, apparently some computers use Lithium-ion batteries
outside their design envelope. The recharging cycle is much faster
than usual. When the batteries are exposed to rapid charging, it is
possible for metal fragments to be formed. The fragments can then
cause major short circuits and thus over-heating. This is why it’s
not cut and dried that Sony will have to cover the whole cost of
the recall. Sony is also saying that the risk of fire “can be
affected by variations in the system configurations found in
different notebook computers.” Apparently Sony engineers haven’t
been able to reproduce the battery failures, lending credence to
the view that the way the batteries are being used may be at least
partly at fault.

http://catless.ncl.ac.uk/Risks/24.41.html#subj10.1
http://cohyotea.notlong.com

All this just goes to show the importance of getting outsourcing
agreements right, from both sides. It now looks as if Sony’s
reputation may be suffering because of the actions of the laptop
manufacturers, rather than vice versa.

===============
4. Newsletter information

This is a monthly newsletter on risk management in financial services,
operational risk and user-developed software from Louise Pryor
(http://www.louisepryor.com). Copyright (c) Louise Pryor 2006. All
rights reserved. You may distribute it in whole or in part as long as
this notice is included.

To subscribe, email news-subscribe AT louisepryor.com. To unsubscribe,
email news-unsubscribe AT louisepryor.com. Send all comments, feedback
and other queries to news-admin AT louisepryor.com. (Change ” AT ” to
“@”). All comments will be considered as publishable unless you state
otherwise. The newsletter is archived at
http://www.louisepryor.com/newsArchive.do.