Did you happen to see where Danile Bouton, head of French bank Société Générale, admitted in an interview published on the French Internet site Mediapart that the bank’s internal control systems had faults.

Bouton said: "The controls were carried out in accordance with the rules for each area concerned” … [but] "a horizontal method for assessing the risk of fraud, [and] a pooling of the information, was missing. It was the lack of this method that allowed Jérôme Kerviel to play on the different deficiencies, which his experience in the back office had enabled him to see."

Bouton is referring to the lack of an end-to-end process view that spans different functional organizations. Kerviel’s experience in back office positions and his knowledge of how risk and controls systems worked allowed him to circumvent and override the bank’s systems/processes to carry out his fraudulent activities.

It sounds simple enough, but I wonder whether Bouton is guilty of what Nassim Taleb (author of the Black Swan) calls the “narrative fallacy” where a story is created post-hoc so that an event will seem to have a cause. In fact, the auditing firm PWC wrote a scathing report for Societe Generale that described a flawed "general environment" that enabled Kerviel to rack up the record-breaking losses. The report pointed to a number of specific problems in the design and the implementation of the bank’s internal control system.

Since I haven’t read the report, I will put on my Monday morning quarterbacking hat and speculate about why the largest event of its kind went on for so long at an institution that had a reputation for being “well controlled.”

My top ten list for why Jérôme Kerviel was able to perpetrate the fraudulent activities at Soc Gen:

10. Warning signs were not heeded: complaints that Kerviel was not following proper policies and procedures, was in breach of limits, etc. were ignored because he was deemed to be a star trader and a money-making engine.

9. Management inaction: management was informed about the problem but they did not react or escalate the issue; they also failed “to question above-market returns.” Kerviel’s management chain was reluctant to bring these problems to senior management since they did not want to be seen as being counter-productive to profit making.

8. Failure to set/enforce proper limits: There are trading environments that have a “no tolerance” rule when it comes to breach of limits and there are trading environments that treat limits as permeable. The fluid approach to such breaches can be especially risky during times of high market volatility when exposures and limit breaks can grow quickly and exponentially. In Soc Gen’s case, limits were not strictly enforced.

7. Risk taking environment (culture): Rogue traders such as Kerviel often flourish in environments where risk taking and idolization of traders go hand-in-hand. In these environments, a breach of limits is seen as tolerable and at times implicitly encouraged.

6. Gambling persona: Similar to gamblers, traders are risk takers. If a trader does not have the appetite to take on risk they will be ineffective in their job. Kerviel is a risk taker and when he sustained losses he tried to trade himself back to profitability. This led to a pattern of escalating losses that led to more rogue trading behavior and more losses.

5. Failure to reconcile daily cash flows: The volume of certain products, such as over-the-counter derivatives leads to challenges concerning reconciliation of trades and cash flow. There are important operational risk issues associated with the high volume of certain trading areas and the lag time between execution, settlement, and reconciliation of the books. A rogue trader such as Kerviel who understands the system and how it works can exploit the lag time between these activities to avoid detection.

4. Failure to comply with internal policies and procedures: Danile Bouton stated that there were adequate policies and procedures in place designed to prevent unauthorized trading events. But no firm wants to operate in an environment where controls are so rigid and inflexible that it is not possible to be creative and profitable. What happens over time is that an organization drifts away from following internal policies and procedures and becomes “fluid” in response to business demands. There are organizations with “no tolerance” policies for breaking control limits, and there are others that treat it as a part of doing business. Soc Gen appears to have been one of the latter organizations.

3. Failure to supervise: At the heart of unauthorized trading events are often supervisory issues at multitude of levels. This covers the obvious “failure to manage,” but also includes supervisors who many be caught up in a direct report’s scheme to increase profits or bring in outsized returns. At Soc Gen there was a clear lack of supervision and there may even have been two layers of misconduct.

2. Swiss cheese effect: Often the event attributes in a case such as Soc Gen occur in conjunction with a series of control failings. The largest unauthorized trading events contain a number of control breakdowns that occur in clusters. Think of the controls as slices of Swiss cheese lined up next to each other; the holes in the cheese are potential control failures. The rogue trader can see a clear path through the slices, where the holes are lined up, and the misdeeds can pass through the openings without being halted by operating controls. If even one or more controls were properly functioning, the misdeed might never have happened. For example, if someone had escalated concerns to management and management acted – the event might not have occurred or at a minimum would have been much less severe.

1. Lack of dual control and lack of proper segregation of duties: The “four eyes” tenet is a basic one in risk management and after the history of large events such as Barings (1995) it is difficult to imagine any institution that allows traders to confirm their own trades. Kerviel was able to break into Soc Gen’s trading system to assume the identity of someone else and effectively confirm his own trades. The breakdown of dual controls in this area was perhaps the most egregious failure of the internal control environment at Soc Gen.

So Danile Bouton admitted that the bank’s internal control systems had faults – no kidding!

At a recent RMA ORM Discussion Group meeting (Washington D.C. on May 29-30, http://www.rmahq.org/RMA/OperationalRisk/) a couple of presentations suggested that there are limits to ORM and that we should respect these limits and move on to more productive activities where we can increase the value of the ORM function.
 
For example, Eric Holmquist (eholmquist@advanta.com) from Advanta led a discussion on taking a risk-based approach to information security. Eric was describing what he meant by “taking a risk-based approach” and one of the points he made was that you want to ensure that you have the ability to respond quickly. He went on to point out that for information security risks, “things happen so fast” that KRIs are not very effective as leading indicators. He went on to say that “historical loss data is worthless” as a way to quantify information security risk.
 
Bert Ely (bert@ely-co.com) gave a presentation on how the “subprime crisis is affecting the risk management discipline.” Bert mentioned that there are limits to operational risk management in terms of accurately quantifying and/or predicting risk events.  He suggested that risk management should focus more on the structure (activities) of risk rather than risk measurement.  He believes that with many risk assessment activities risk managers are getting lost in the weeds and missing the key fundamentals of managing risk. Bert believes that we can enhance the value of risk management more by focusing on improving risk identification, risk monitoring and risk management processes as opposed to trying to obsessively quantify risk exposure.
 
Bert also commented on the attempts to make Basel more dynamic to enable firms to respond before-the-fact to emerging bubbles.  There is a requirement for new models that move beyond backward-looking stress tests.  Bert believes that this is a hopeless task because the “world never looks the same or works the same” so the models will be inherently wrong.  In Bert’s mind “this is akin to the generals fighting the last war.”
 
Bert encouraged the audience to recognize the limits of operational risk management and to focus on what is practical in terms of cost versus benefit. Be prepared to battle efforts to trim risk-management activities especially when market conditions are bullish or when costs must be cut to meeting earning targets. The best way to counteract the cost reduction is to ensure that risk management is integral to the overall management of your firm.
 

Bert Ely gave a thought-provoking presentation on “How the SubPrime Crisis will Affect Basel, Regulation, and the Risk Management Discipline” at a recent RMA ORM Discussion Group meeting held in Washington D.C. on May 29-30. http://www.rmahq.org/RMA/OperationalRisk/
 
One observation that Bert made is that in many respects, internal fraud in banking is like shop lifting (by employees) in retailing. If you make things too easy, shoplifting will happen. It is basic human nature.
 
There are three types of people:
1)      Good guys: would never ever commit fraud/theft
2)      Basically good but can be misled: most of us
3)      Bad guys: you hope you don’t have any of these but you probably do
 
In my mind, Bert is focused on helping the middle group. He asserts that risk management has a “moral obligation to protect people from themselves.” He went on to add that operational risk in particular should focus on human weakness and management weakness.
 
If we focus on implementing basic yet effective controls, the middle group will know that management is watching and that there will be action taken when necessitated by fraudulent activity.
 
Basic controls should include:

• Segregation of duties
• Access controls
• Authorization
• Preventative/Detective controls

Bert wasn’t suggesting that we neglect the third group of people, but that by getting the basics right we can address a large percentage of certain types of risk.
 
Related to this point, Bert mentioned that there are limits to operational risk management in terms of accurately quantifying and/or predicting risk events.  He suggested that risk management should focus more on the structure (activities) of risk rather than risk measurement.  He believes that with many risk assessment activities risk managers are getting lost in the weeds and missing the key fundamentals of managing risk. Bert believes that we can enhance the value of risk management more by focusing on improving risk identification, risk monitoring and risk management processes as opposed to trying to obsessively quantify risk exposure.
 
 
Bert can be contacted at: bert@ely-co.com; www.ely-co.com

Today, the GRC sector has matured to become an integral part of an organization’s internal structure. Recently, I spoke with Carl Weinschenk of IT-Finance Connection about this topic.

Listen to the podcast to learn more.