The Risk Factor

I often wonder why government officials think your private information is their private information.

A news item that appeared on the UK Register website reveals that the NHS appears to be planning to share patient information with the social services, education and police. The controversy about patient privacy in the age of electronic health records is not new in the UK, and has been simmering over the past couple of years. Patients who are worried about their privacy can opt-out: I suspect many more will decide to now.

Give government the capability to gather information, and it will.

A couple of years back, I wrote a story for IEEE Spectrum on Why Software Fails. I opened with the story that has been floating around the software business for the past twenty years about the disappearing warehouse. Well, yesterday I read a story in the Wall Street Journal about another "disappearing" warehouse - this time to help hide accounting fraud.

In another software burp reported last week, some Scotiabank customers in Vancouver, Canada were surprised to find that their pre-authorized payments had been withdrawn twice from their bank accounts.

I personally know the fun that can cause. Many years back, I tried to withdraw $50 at my local bank's ATM. I was informed that this wasn't possible, since my account was overdrawn by roughly $1.4 million. That was news to me. Since I discovered this on a Friday night, I had to stew on it until Monday morning.

A "small software problem" (the bank's terminology) caused my overdraft which in turn meant my pre-authorized payments (like my mortgage) weren't paid on time. It took a good long while to get this mess straightened out, especially with the credit scoring companies who saw that I had missed a whole bunch of payments. Try telling them that it was just a computer error. I stopped using pre-authorized payments after that little episode, as well as changed banks.

Anyway, what caught my eye in the article were some quotes allegedly made from a person at a local university who said that he "wasn't surprised to hear of a technical error with banking systems." Me either - been there.

This week two non-IT news items on what happens when you don't manage risk well appeared. The first was on the National Transportation Safety Board (NTSB) report of the collapse of the ceiling panels in Boston's Big Dig Tunnels that killed a woman. It seems that the epoxy glue holding the bolts that held up the concrete panels was of the wrong type.

The second was a report commissioned by the US Army Corps of Engineers on the decision making that led up to the failure of the levees in New Orleans. It seems that because of budget constraints and opposition of local leaders and environmental groups, that a great many decisions were made over time that incrementally increased the risks of the levees collapsing in a hurricane.

Government Computer News had a nice little story on the ethics of robot warriors a short time ago. It talked about the work of Georgia Institute of Technology’s Mobile Robot Laboratory professor Ronald Arkin and his attempts to define algorithms to define ethical behavior in machines that can follow norms like the Geneva Convention. This is from the abstract of his paper Governing Lethal Behavior: Embedding Ethics in a Hybrid Deliberative/Reactive Robot:

"This article provides the basis, motivation, theory, and design recommendations for the implementation of an ethical control and reasoning system potentially suitable for constraining lethal actions in an autonomous robotic system so that they fall within the bounds prescribed by the Laws of War and Rules of Engagement."

Dr. Arkin's 117-paper is a bit much to digest in one sitting, but I have taken a quick read and find it interesting in its approach and very thorough, at least from my perspective. In an AFP news story, Dr. Arkin is quoted last month as saying, "Robotics systems may have the potential to out-perform humans from a perspective of the laws of war and the rules of engagement," since with robots "there are no emotions that can cloud judgment, such as anger."

Arkin's work has direct relevance to another robot story in this week's London Telegraph and the aforementioned AFP story about University of Sheffield's Department of Computer Science professor Noel Sharkey's belief that the major powers are "sleepwalking" into an international robot arms race, and predicted "that it is only a matter of time before robots become a standard terrorist weapon, replacing suicide bombers."

This latter theme was reiterated by others at the UK robotics conference titled The Ethics of Autonomous Military Systems where Sharkey spoke. For instance, UK Rear Adm. Chris Parry spoke about the terrorists using remotely piloted planes as weapons such as Hezbollah's use of pilotless aircraft against Israel in 2006.

BTW, I wrote some about the US military's planned use of UAVs for warfare in the November 2007 issue of Spectrum article. As I wrote, "Back in 2001, Congress mandated, as part of the National Defense Authorization Act, that by 2010, one-third of the operating deep-strike aircraft of the Armed Forces are unmanned, and by 2015, one-third of the operational ground combat vehicles are unmanned.” Currently, there are approximately 4,000 robots and 1,000 UAVs of varying types being used in Iraq and Afghanistan by US forces.

This morning's Financial Times of London (subscription may be required) has two interesting stories (here and here) about a software coding error that is causing some turmoil both within the rating company Moody's and the financial markets. Look for this story to have some long legs.

According to an investigation conducted by the FT:

"Moody’s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models... "

The debt product goes by the name Constant Proportion Debt Obligations or more commonly CPDOs.

The FT goes on: "Internal Moody’s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower."

"... While coding errors do occur there is no record of one being so significant."

When Moody's gave their AAA rating on CPDOs last year, many analysts thought the rating was too good to be true. Seems it was.

What makes this story even more interesting is the implication that Moody's wasn't exactly forthcoming in acknowledging its software error after it was found and may have even tried to hide it. The FT article states that:

"On discovering the error early in 2007, Moody’s corrected the coding glitch and instituted methodology changes. One document seen by the FT says 'the impact of our code issue after those improvements in the model is then reduced'. The products remained triple A until January this year when, amid general market declines, they were downgraded several notches."

Moody's responded to the FT article this way: "Moody’s regularly changes its analytical models and enhances its methodologies for a variety of reasons, including to reflect changing credit conditions and outlooks. In addition, Moody’s has adjusted its analytical models on the infrequent occasions that errors have been detected."

“However, it would be inconsistent with Moody’s analytical standards and company policies to change methodologies in an effort to mask errors. The integrity of our ratings and rating methodologies is extremely important to us, and we take seriously the questions raised about European CPDOs. We are therefore conducting a thorough review of this matter.”

In other words, Moody's really, really, really hopes that the decisions to change the rating methodology and the fixes to the coding problem were taken independently, but if they weren't, its reputation is likely going to take a very, very big hit, on top of its rather undistinguished showing in the sub-prime and credit debacle. Earlier this month, Moody's President and COO "decided" to retire, which was seen by financial observers as an admission that the company performed poorly last year in assessing risk.

This fall-out from this small coding error should be be entertaining to watch. Reminds me a little in terms of both cause and impact of the AT&T switch software problem of 1990.

The credit rating agency Moody's announced yesterday that "following a comprehensive review of its ratings process for European constant-proportion debt obligations (CPDO), it has initiated employee disciplinary proceedings and accelerated measures to strengthen its rating and monitoring processes."

The disciplinary action was taken in the wake of a computer error in its models used to assess the risk in CPDO's that led to about $1 billion worth of the securities to be incorrectly rated.

Moody's says that its investigation showed that "its personnel did not make changes to the methodology for rating European CPDOs to mask any model error."

However, Moody's personnel did violate the Moody's Code of Professional Conduct, which says that " a committee may consider only credit factors relevant to the credit assessment and may not consider the potential impact on Moody's, or on an issuer, an investor or other market participant."

In essence, once the computer error was discovered, it wasn't immediately disclosed as required - people kept quiet as a means to try to mitigate the possible consequences (reputation, financial, etc.) to Moody's and maybe themselves.

There is a very interesting story today in the Financial Times of London (which broke the original story in May), about how financial instruments like CPDOs "are so fiendishly complex that they can only be valued with the help of a computer - or in some cases, several computers running a programme over the course of several days."

The story goes on, "In some ways, this shift has been a boon for the agencies such as Moody's. It has meant that most asset managers have been unable to work out the value of instruments such as CPDOs by themselves - forcing them to rely on the ratings agencies' models for guidance. Indeed, even among the investment banks there has been a growing tendency to use rating agency models, at least for preliminary product design."

However, the story notes:

"In other ways, this increased trend towards complexity - and model usage - has also turned into a rating agency curse. For as investment banks have competed furiously with each other to push more products out into the market, groups such as Moody's have faced pressure to produce more and more ratings - placing their own models under growing levels of stress."

Finally, the Times story goes on to say that, "the CPDO incident may now leave investors, issuers and regulators asking new questions about the reliability of all the other complex computer models being used to rate other financial instruments. And that, in turn, leaves the financial world in a subtle trap. Nobody can see any alternative to using models, given how complex products have become; however, trust in these models is far from high."