The FINANCIAL — Lightning can, in fact, strike twice and banks that want to avoid being rocked by a Societe Generale-scale fraud incident need to move beyond stop-gap measures and build a culture of operational risk management.
A new report from Diamond Management & Technology Consultants, Inc. based in Chicago
examines facts that have emerged from the Societe Generale situation, and the probable causes of fraud point to deficiencies in operational risk management. While details are still surfacing, Societe Generale, or SocGen, appears to have lacked three essential ingredients in establishing a resilient operational risk environment: automated processes, an internal controls culture, and strong IT access controls.
Without these three elements in place, not even a 2,000-person risk division could stop a rogue trader, who is allegedly responsible for the loss of 4.9 billion euros at SocGen, the second-largest French bank.
"Initially, many institutions reacted to the SocGen incident by focusing on remediating the direct components of the fraud," said Linda Najim, a partner in Diamond's Financial Services practice. "Of course this is necessary, but if institutions hope to expose tomorrow's rogue traders,
they will need to address the three underlying areas where it looks as if SocGen came up short.
"Optimistically, we hope the long-term legacy of the SocGen incident will be a more secure global banking system. But before that day comes, financial institutions need to respond to the SocGen situation by taking a more comprehensive approach toward managing operational risk – beginning with a focus on building an internal controls culture that permeates the organization from top to bottom and across businesses."
Diamond's report, "Notes on a Scandal: Lessons in Operational Risk Management from Societe Generale," emphasizes that the elements SocGen seemingly lacked — automated processes, an internal controls culture, and strong IT access controls — are the primary components to an improved operational risk environment. Banks that grasp the business and technology
details of these components will lead the pack in managing fraud risks.
Automated Processes
Leading banks with stronger controls have implemented technologies such
as warning indicators on trading stations to notify the trader about gross
and net limits before they are reached.
"We believe, however, that technology alone is insufficient; banks must also institute strong risk governance processes to prevent breaches," said Najim. For example, when faced with a trade limit violation, a risk officer could then provide additional control by reviewing the request in the context of governing guidelines, principles, and exposures to determine thecorrect course of action for the firm — approval or denial.
The SocGen rogue trader allegedly used his knowledge of the bank's back-office systems to exploit the ability to cancel transactions before their settlement dates. In the absence of strong risk governance processes,a trader could fend off an institution's risk managers.
Controls Culture
"In order to instill a proactive internal controls culture, financial institutions should act prudently but aggressively by reminding their supervisors of their responsibilities to uphold policies and compliance rules," said Najim. "Implementing systems that track supervisors' compliance with required tasks presents one possible solution in this area."
Strong IT Access Controls
"Unfortunately, in the absence of sophisticated access management solutions, banks have had to resort to manual reviews of unnecessary access privileges," said Najim. "Institutions that develop automated access and entitlement control systems will achieve greater security and efficiency."
Once access to IT systems is under control, the next challenge for institutions is to automate management of employee lifecycle events, such as transfers, ensuring that users only retain access to systems that are required for their new job functions.
Investing in a Legacy
In the report, Diamond recommends a broad, formal risk assessment. This evaluation will provide executive leadership with a precise understanding of the existing controls across the institution as well as opportunities to resolve potential fraud risks across the entire transaction value chain.
"A corporate culture that rewards vigilance against fraud should be rolled out — and constantly reinforced," Najim said. "Overall, institutions that invest in a firmwide controls culture will have an opportunity to create and maintain their own legacy — one of reliable management controls, trusted business relationships, and sustained profitability."
Discussion about this post