What Constitutes A $7B Control Failure?

The media yesterday (Wall Street Journal, Associated Press, Economist, etc.) were all over 31-year-old Jérôme Kerviel, the trader at France’s Société Générale who has apparently confessed to fraudulent trades resulting in an estimated loss of roughly $7.2 billion.

In further coverage, we hear that the bank has apologized to share holders, filed legal claims against Kerviel, and promised the public that the incident does not suggest any larger issues with the company’s risk management. The Wall Street Journal however, follows up with a story questioning the effectiveness of regulatory oversight that can let something like this transpire despite Société Générale’s claims that controls were adequately tested and did not fail.

There will certainly be much more to follow on this story. From initial coverage, it seems that the bank had enforced proper trade limits for this employee, and the control failure occurred when he was able to circumvent security systems and escalate his trading privileges. As organizations continue to focus on developing their enterprise risk management programs, this story reminds us that it requires an understanding of how the various types of risk (operational, market, credit, etc.) are often intertwined.

Comments

re: What Constitutes A $7B Control Failure?

I read all the articles I can get my hands on regarding the private French Bank Société Générale’s traders incident. The coverage on root cause has been misleading and while I value the economic insight published in the Economist their understanding of management controls in a trading environment may be poor. I understand from reading the Economist that the writer may have confused prior Middle Office experience (as described in the WSJ) with "middle management experience" when suggesting that middle management experience may have afforded the trader access and unprecedented knowledge of controls. But this is a specious argument knolwedge of controls doesn't cause control weaknesses its poor implementation of controls that does. When someone switches from middle office, to back office to front office the systems access control matrix must be completely rethought for that individual and in most company's this works like clock work. I worked in the middle office of a global IT company and I can tell you the controls for individuals changing positions is most definitely reassigned (even if they sit in the same room as they did before). The controls in this case were not functioning as intended and were most definitely compromised. In trading there is a "Front Office" the traders, the Middle Office (Policy, systems and control oversight) and the "Back Office" the settlement folks, also a key control area where each trade is scruitinized scrutinized and the terms and amounts of the trades should be confirmed with the counterparty. A trader making such huge mistaks and cancelling trades should be fired pure and simple. Once again greed is the culprit. The Back Office should have raised red flags when the trader kept making mistakes and cancelling amounts. But frankly where was the middle office controls who was checking to see if the trades were in accorance with the delegations of authority?Why had management not established such controls for the trading desk. Why were different users allowed to share passwords unnoticed. Its time the glamorous trading world understood and appreciated the geeky certified information systems auditors who should have been all over the password sharing. I suspect that the trades DID NOT GO UNNOTICED by management how could they? It would be impossible to go unnoticed when his book of business was larger than the capitalization of the bank. Unless all three groups the front office, middle office and back office and the CFO's g/l and planning and analysis group (which should be monitoring the affect that the trades and cash positions are having on the general ledger are in collusion then there is no way that management didn't know about this. There were multiple opportunities for detection from the middle office, the back office settlements group, and the CFO's general ledger group who would have been performing analytical review on the books.The best forms of protection are (1) current IT system access control matrices and frequently changed passwords (2) middle office analysis of trades against delegations and the objectives of the Treasurer and (3) CFO General Ledger analysts which should have raised red flags.