Spreadsheet Risks

As a small business owner, I spend more time with spreadsheets than I might otherwise like. It's always seemed to me that spreadsheets were one of those ubiquitous things on which people literally bet the company, yet which are hacked up by folks who are amateur programmers. They may have vast financial experience, but they are still amateurs at programming. Apparently I'm not the only one who has this feeling. I was delighted to discover, via RISKS-Digest, EUSPRIG, the European Spreadsheet Risks Interest Group. "EuSpRIG is an interest group of academia and industry promoting research regarding the extent and nature of spreadsheet risks, methods of prevention and detection of errors and methods of limiting damage. We bring together researchers and professionals in the areas of business, software engineering and audit to actively seek useful solutions." The downloads section of their page contains some very good papers on best practices in spreadsheet creation and evaluation, as well as case studies on spreadsheet use in various organizations. They have been running a peer-reviewed conference for a number of years, and have done a great deal of research in this area. I'm especially enjoying their paper on best practices for avoiding spreadsheet errors and mis-modeling entitled "How do you know your spreadsheet is right?". For some scarier light reading, check out their archive of news stories about the costs of spreadsheet errors. The current 'winner' is a 2003 gaffe by TransAlta, a cut-and-paste error that led the company to bid for contracts that were higher than they really wanted to pay. The end result was a needless $24M USD charge against earnings. Ouch. For my compatriots in systems administration who are struggling with Sarbanes-Oxley compliance, EUSPRIG's 2005 conference was largely focused on managing spreadsheet risk in a SOX context.