This series of articles will give you an overview of how to manage spreadsheet risk. These articles are written by Myles Arnott from Excel Audit
- Part 1: An Introduction to managing spreadsheet risk
- Part 2: How companies can manage their spreadsheet risk
- Part 3: Excel’s auditing functions
- Part 4: Using external software packages to manage your spreadsheet risk
In the first article in this series we highlighted the risks that poorly managed spreadsheet solutions can introduce to a business. In this article we will demonstrate how companies can manage this risk.
A formal governance framework
The first, and arguably most important step is to ensure that the senior management team buy into the need for a robust spreadsheet risk management framework, and that they define and effectively communicate their spreadsheet risk management policy.
Spreadsheets identified and catalogued
It is impossible to know the level of spreadsheet risk in an organization without first identifying and then risk assessing all of the spreadsheets. It is therefore necessary to create a catalog of all of the spreadsheets and then to gather the key information about each spreadsheet to enable a risk assessment to be carried out.
The two key factors for determining the spreadsheet risk are the probability of there being an error and the impact that that error could have.
Risk = Probability of an error X impact if an error were to occur
The probability of error is related to the complexity of the spreadsheet. Complexity attributes differ across companies but include:
- Spreadsheet size (Mbs)
- Spreadsheet design (hard coded numbers in formulae, poor model structuring etc)
- The number of users
- The use of complex formulae (particularly array formulae, nested formulae etc)
- The number of cells populated
- The number of internal and external links
- The use of VBA
The impact of the error is related to how critical the spreadsheet is within the business. Each company will have a slightly different definition of the impact levels of spreadsheets, but generally:
- A spreadsheet is low impact if it is not used as part of a critical business process and an error would not have a material impact on the business.
- A spreadsheet is medium impact if it contains confidential information and an error could have a material impact on the business.
- A spreadsheet is high impact if it contains highly confidential information and an error would have a significant impact on the business. Spreadsheets used within processes that fall under external regulation (such as Sarbanes-Oxley and Solvency II) are deemed to be of high impact.
Finally, the spreadsheets should be placed in order of risk. Those identified as business critical and high risk should be prioritized for detailed review and placed under control.
This is clearly an on-going process. As new spreadsheets are developed they will need to pass through the risk assessment process as defined by the company’s spreadsheet risk management policy. A periodic review should also be carried out to ensure that all spreadsheets have been correctly categorized.
A best practice standard
The company should define its own best practice spreadsheet development standard that is applied to spreadsheets deemed to be medium or high impact. The standard should clearly outline the standards and conventions to which a spreadsheet should be built. New developments can then be reviewed to ensure that they adhere to the standard.
We advocate the use of the Excel Best Practice Standard from the Spreadsheet Standards Review Board (‘SSRB’).
We also recommend that tailored schedules are added to the standard to reflect your specific design standards. For example this could be a specific color scheme, use of logo or the use of specific text within the header or footer (e.g. document security levels).
Testing
A fundamental, but often overlooked step in the Excel model development cycle is testing. All spreadsheets (but especially business critical spreadsheets) need to be first peer reviewed and then rigorously tested.
It helps to consider the steps that an IT department would take to ensure that something they deliver is correct. It will pass through stages of unit and system testing prior to quality assurance and finally user acceptance testing. So why should a spreadsheet being used for a critical process be any different?
The fact is that no matter how hard we try, humans make errors. The purpose of testing is to identify them and get them resolved before the model goes into the live environment.
Remember that in the first article we highlighted the fact that 94% of spreadsheets and 5% of all formulae within spreadsheets contain errors.
Here is Scott Adams’ view on spreadsheet testing in Dilbert
Training
All staff should be trained so that they have sufficient Excel knowledge for their role and to use the spreadsheets that they are responsible for. As part of the induction process all staff should also be taught the company’s best practice standard.
Whilst this sounds obvious, research has shown that few companies prioritize investment in spreadsheet training.
Documentation
A key risk with spreadsheets is that they are often built and used by one individual within a team (often referred to as a “key man dependency”). If this person is ill or leaves unexpectedly the other members are totally reliant on the documentation left behind. From experience this rarely exists.
Each spreadsheet that is used within a process should as a bare minimum have documentation stating:
- the purpose of the spreadsheet;
- how the spreadsheet fits within the process;
- the source of all inputs for the spreadsheet;
- all key assumptions and drivers;
- key calculations;
- distribution list for outputs.
Spreadsheets that are part of as critical business process should have detailed documentation. This should include a technical specification and user notes.
Security
All business critical and confidential spreadsheets should be subject to access control. Security controls can be implemented across three levels:
- Directory level: Only specific individuals have access to key directories
- File level: Confidential and critical spreadsheets should be password protected to restrict access
- Cell level: Non-input cells should be password protected
Change control, backups and archives
To minimize the risk of losing the current version of a spreadsheet and ensuring that the correct version is being used at all times, all business critical spreadsheets should be backed up, archived and subject to change control procedures.
So, in summary..,
the characteristics of a well-managed environment are:
- a formal governance framework, sponsored by the senior management team, is in place for all spreadsheet development;
- a catalog of spreadsheets is maintained and prioritized by risk profile;
- a best practice standard is applied to the development of all new spreadsheets;
- all new spreadsheets pass through a formal risk assessment, are peer reviewed and formally tested;
- staff are provided with sufficient training to carry out their roles;
- all spreadsheets and their associated processes are well documented;
- access to critical spreadsheets is subject to security controls;
- spreadsheets are subject to change control and are regularly backed up and archived.
What next?
In the next article we will look at the built in Excel functions that can help you to manage spreadsheet risk.
What about you?
How do you (or your company) manage spreadsheet risk? What best practices & guidelines you follow? Please share using comments.
Thank you Myles
Many thanks to Myles for writing this series. Your experience in this area is invaluable. If you enjoy this series, drop a note of thanks to Myles thru comments. You can also reach him at Excel Audit or his linkedin profile.
20 Responses to “Simulating Dice throws – the correct way to do it in excel”
You have an interesting point, but the bell curve theory is nonsense. Certainly it is not what you would want, even if it were true.
Alpha Bravo - Although not a distribution curve in the strict sense, is does reflect the actual results of throwing two physical dice.
And reflects the following . .
There is 1 way of throwing a total of 2
There are 2 ways of throwing a total of 3
There are 3 ways of throwing a total of 4
There are 4 ways of throwing a total of 5
There are 5 ways of throwing a total of 6
There are 6 ways of throwing a total of 7
There are 5 ways of throwing a total of 8
There are 4 ways of throwing a total of 9
There are 3 ways of throwing a total of 10
There are 2 ways of throwing a total of 11
There is 1 way of throwing a total of 12
@alpha bravo ... welcome... 🙂
either your comment or your dice is loaded 😉
I am afraid the distribution shown in the right graph is what you get when you throw a pair of dice in real world. As Karl already explained, it is not random behavior you see when you try to combine 2 random events (individual dice throws), but more of order due to how things work.
@Karl, thanks 🙂
When simulating a coin toss, the ROUND function you used is appropriate. However, your die simulation formula should use INT instead of ROUND:
=INT(RAND()*6)+1
Otherwise, the rounding causes half of each number's predictions to be applied to the next higher number. Also, you'd get a count for 7, which isn't possible in a die.
To illustrate, I set up 1200 trials of each formula in a worksheet and counted the results. The image here shows the table and a histogram of results:
http://peltiertech.com/WordPress/wp-content/img200808/RandonDieTrials.png
@Jon: thanks for pointing this out. You are absolutely right. INT() is what I should I have used instead of ROUND() as it reduces the possibility of having either 1 or 6 by almost half that of having other numbers.
this is such a good thing to learn, helps me a lot in my future simulations.
Btw, the actual graphs I have shown were plotted based on randbetween() and not from rand()*6, so they still hold good.
Updating the post to include your comments as it helps everyone to know this.
By the way, the distribution is not a Gaussian distribution, as Karl points out. However, when you add the simulations of many dice together (i.e., ten throws), the overall results will approximate a Gaussian distribution. If my feeble memory serves me, this is the Central Limit Theorem.
@Jon, that is right, you have to nearly throw infinite number of dice and add their face counts to get a perfect bell curve or Gaussian distribution, but as the central limit theorem suggests, our curve should roughly look like a bell curve... 🙂
[...] posts on games & excel that you may enjoy: Simulating Dice throws in Excel Generate and Print Bingo / Housie tickets using this excel Understanding Monopoly Board [...]
[...] Correct way to simulate dice throws in excel [...]
[...] Simulate dice throws in excel [...]
I'm afraid to say that this is a badly stated and ambiguous post, which is likely to cause errors and misunderstanding.
Aside from the initial use of round() instead of int(),.. (you've since corrected), you made several crucial mistakes by not accurately and unambiguously stating the details.
Firstly, you said:
"this little function generates a random fraction between 0 and 1"
Correctly stated this should be:
"this little function generates a random fraction F where 0 <= F < 1".
Secondly, I guess because you were a little fuzzy about the exact range of values returned by rand(), you have then been just as ambiguous in stating:
"I usually write int(rand()*12)+1 if I need a random number between 0 to 12".
(that implies 13 integers, not 12)
Your formula, does not return 13 integers between 0 to 12.
It returns 12 integers between 1 and 12 (inclusive).
-- As rand() returns a random fraction F where 0 <= F < 1, you can obviously can only get integers between 1 and 12 (inclusive) from your formula as stated above, but clearly not zero.
If you had said either:
"I usually write int(rand()*12) if I need a random number between 0 to 11 (inclusive)",
or:
"I usually write int(rand()*12)+1 if I need a random number between 1 to 12 (inclusive)"
then you would have been correct.
Unfortunately, you FAIL! -- repeat 5th grade please!
Your Fifth Grade Maths Teacher
Idk if I'm on the right forum for this or how soon one can reply, but I'm working on a test using Excel and I have a table set up to get all my answers from BUT I need to generate 10,000 answers from this one table. Every time, I try to do this I get 10,000 duplicate answers. I know there has to be some simple command I have left out or not used at all, any help would be extremely helpful! (And I already have the dice figured out lol)
Roll 4Dice with 20Sides (4D20) if the total < 20 add the sum of a rerolled 2D20. What is the average total over 10,000 turns? (Short and sweet)
Like I said when I try to simulate 10,000turns I just get "67" 10,000times -_- help please! 😀
@Justin
This is a good example to use for basic simulation
have a look at the file I have posted at:
https://rapidshare.com/files/1257689536/4_Dice.xlsx
It uses a variable size dice which you set
Has 4 Dice
Throws them 10,000 times
If Total per roll < 20 uses the sum of 2 extra dice Adds up the scores Averages the results You can read more about how it was constructed by reading this post: http://chandoo.org/wp/2010/05/06/data-tables-monte-carlo-simulations-in-excel-a-comprehensive-guide/
Oh derp, i fell for this trap too, thinking i was makeing a good dice roll simulation.. instead of just got an average of everything 😛
Noteably This dice trow simulate page is kinda important, as most roleplay dice games were hard.. i mean, a crit failure or crit hit (rolling double 1's or double 6's) in a a game for example dungeons and dragons, if you dont do the roll each induvidual dice, then theres a higher chance of scoreing a crit hit or a crit failure on attacking..
I've been working on this for awhile. So here's a few issues I've come across and solved.
#1. round() does work, but you add 0.5 as the constant, not 1.
trunc() and int() give you the same distributions as round() when you use the constant 1, so among the three functions they are all equally fair as long as you remember what you're doing when you use one rather than the other. I've proven it with a rough mathematical proof -- I say rough only because I'm not a proper mathematician.
In short, depending on the function (s is the number of sides, and R stands in for RAND() ):
round(f), where f = sR + 0.5
trunc(f), where f = sR + 1
int(f), where f = sR + 1
will all give you the same distribution, meaning that between the three functions they are fair and none favors something more than the others. However...
#2. None of the above gets you around the uneven distribution of possible outcomes of primes not found in the factorization of the base being used (base-10, since we're using decimal; and the prime factorization of 10 is 2 and 5).
With a 10-sided die, where your equation would be
=ROUND(6*RAND()+0.5)
Your distribution of possible values is even across all ten possibilities.
However, if you use the most basic die, a 6-sided die, the distributions favor some rolls over others. Let's assume your random number can only generate down to the thousandths (0.000 ? R ? 0.999). The distribution of possible outcomes of your function are:
1: 167
2: 167
3: 166
4: 167
5: 167
6: 166
So 4 and 6 are always under-represented in the distribution by 1 less than their compatriots. This is true no matter how many decimals you allow, though the distribution gets closer and closer to equal the further towards infinite decimal places you go.
This carries over to all die whose numbers of sides do not factor down to a prime factorization of some exponential values of 2 and 5.
So, then, how can we fix this one, tiny issue in a practical manner that doesn't make our heads hurt or put unnecessary strain on the computer?
Real quick addendum to the above:
Obviously when I put the equation after the example of the 10-sided die, I meant to put a 10*RAND() instead of a 6*RAND(). Oops!
Also, where I have 0.000 ? R ? 0.999, the ?'s are supposed to be less-than-or-equal-to signs but the comments didn't like that. Oh well.
How do you keep adding up the total? I would like to have a cell which keeps adding up the total sum of the two dices, even after a new number is generated in the cells when you refresh or generate new numbers.
So, how do you simulate rolling 12 dice? Do you write int(rand()*6) 12 times?
Is there a simpler way of simulating n dice in Excel?
I've run this code in VBA
Sub generate()
Application.ScreenUpdating = False
Application.Calculation = False
Dim app, i As Long
Set app = Application.WorksheetFunction
For i = 3 To 10002
Cells(i, 3).Value = i - 2
Cells(i, 4).Value = app.RandBetween(2, 12)
Cells(i, 5).Value = app.RandBetween(1, 6) + app.RandBetween(1, 6)
Next
Application.ScreenUpdating = True
Application.Calculation = True
End Sub
But I get the same distribution for both columns 4 and 5
Why ?
@Mohammed
I would expect to get the same distribution as you have effectively used the same function