Did you happen to see where Danile Bouton, head of French bank Société Générale, admitted in an interview published on the French Internet site Mediapart that the bank’s internal control systems had faults?
Bouton said: "The controls were carried out in accordance with the rules for each area concerned” … [but] "a horizontal method for assessing the risk of fraud, [and] a pooling of the information, was missing. It was the lack of this method that allowed Jérôme Kerviel to play on the different deficiencies, which his experience in the back office had enabled him to see."
Bouton is referring to the lack of an end-to-end process view that spans different functional organizations. Kerviel’s experience in back office positions and his knowledge of how risk and controls systems worked allowed him to circumvent and override the bank’s systems/processes to carry out his fraudulent activities.
It sounds simple enough, but I wonder whether Bouton is guilty of what Nassim Taleb (author of the Black Swan) calls the “narrative fallacy” where a story is created post-hoc so that an event will seem to have a cause. In fact, the auditing firm PWC wrote a scathing report for Société Générale that described a flawed "general environment" that enabled Kerviel to rack up the record-breaking losses. The report pointed to a number of specific problems in the design and the implementation of the bank’s internal control system.
Since I haven’t read the report, I will put on my Monday morning quarterbacking hat and speculate about why the largest event of its kind went on for so long at an institution that had a reputation for being “well controlled.”
10. Warning signs were not heeded: complaints that Kerviel was not following proper policies and procedures, was in breach of limits, etc. were ignored because he was deemed to be a star trader and a money-making engine.
9. Management inaction: management was informed about the problem but they did not react or escalate the issue; they also failed “to question above-market returns.” Kerviel’s management chain was reluctant to bring these problems to senior management since they did not want to be seen as being counter-productive to profit making.
8. Failure to set/enforce proper limits: There are trading environments that have a “no tolerance” rule when it comes to breach of limits and there are trading environments that treat limits as permeable. The fluid approach to such breaches can be especially risky during times of high market volatility when exposures and limit breaks can grow quickly and exponentially. In Soc Gen’s case, limits were not strictly enforced.
7. Risk taking environment (culture): Rogue traders such as Kerviel often flourish in environments where risk taking and idolization of traders go hand-in-hand. In these environments, a breach of limits is seen as tolerable and at times implicitly encouraged.
6. Gambling persona: Similar to gamblers, traders are risk takers. If a trader does not have the appetite to take on risk they will be ineffective in their job. Kerviel is a risk taker and when he sustained losses he tried to trade himself back to profitability. This led to a pattern of escalating losses that led to more rogue trading behavior and more losses.
5. Failure to reconcile daily cash flows: The volume of certain products, such as over-the-counter derivatives leads to challenges concerning reconciliation of trades and cash flow. There are important operational risk issues associated with the high volume of certain trading areas and the lag time between execution, settlement, and reconciliation of the books. A rogue trader such as Kerviel who understands the system and how it works can exploit the lag time between these activities to avoid detection.
4. Failure to comply with internal policies and procedures: Danile Bouton stated that there were adequate policies and procedures in place designed to prevent unauthorized trading events. But no firm wants to operate in an environment where controls are so rigid and inflexible that it is not possible to be creative and profitable. What happens over time is that an organization drifts away from following internal policies and procedures and becomes “fluid” in response to business demands. There are organizations with “no tolerance” policies for breaking control limits, and there are others that treat it as a part of doing business. Soc Gen appears to have been one of the latter organizations.
3. Failure to supervise: At the heart of unauthorized trading events are often supervisory issues at multitude of levels. This covers the obvious “failure to manage,” but also includes supervisors who many be caught up in a direct report’s scheme to increase profits or bring in outsized returns. At Soc Gen there was a clear lack of supervision and there may even have been two layers of misconduct.
2. Swiss cheese effect: Often the event attributes in a case such as Soc Gen occur in conjunction with a series of control failings. The largest unauthorized trading events contain a number of control breakdowns that occur in clusters. Think of the controls as slices of Swiss cheese lined up next to each other; the holes in the cheese are potential control failures. The rogue trader can see a clear path through the slices, where the holes are lined up, and the misdeeds can pass through the openings without being halted by operating controls. If even one or more controls were properly functioning, the misdeed might never have happened. For example, if someone had escalated concerns to management and management acted – the event might not have occurred or at a minimum would have been much less severe.
1. Lack of dual control and lack of proper segregation of duties: The “four eyes” tenet is a basic one in risk management and after the history of large events such as Barings (1995) it is difficult to imagine any institution that allows traders to confirm their own trades. Kerviel was able to break into Soc Gen’s trading system to assume the identity of someone else and effectively confirm his own trades. The breakdown of dual controls in this area was perhaps the most egregious failure of the internal control environment at Soc Gen.
So Danile Bouton admitted that the bank’s internal control systems had faults – no kidding!