Undoubtedly, banks across the city will now be reviewing their controls to see what they have in place to catch events like the Societe Generale, the French bank rocked by over $7bn of losses from unauthorised trading.
SocGen itself has said that it has already put additional controls in place to prevent any recurrence of this specific kind of breach. So once again, banks are likely to be layering on more plasters and bandages in an attempt to hold their processes together.
This response is likely to prevent an exact replica of the SocGen event, but it is unlikely to stop a similar event being carried out in a different way.
The Barings loss was also caused by an over zealous trader trying to be clever. The control solutions put in place to prevent that re-occurring was a segregation of duties to prevent both front and back office controls being manipulated by the same person. This time the trader simply prevented the second individual from looking at the trade or control. By using a different method, the additional controls put in place to prevent another occurrence of the first event, did not prevent the occurrence of one very similar.
Banks cite increasing volumes, complexities and pressures to reduce costs as the reasons for difficulties in identifying the control weaknesses.
It is true that cost pressures have driven responsibilities to become highly fragmented between departments organised by products as well as off shore or outsourced operations. But we have heard these excuses for the last 20 years. Instead of making identification easier, the banks response of layering on more controls and dispersing responsibilities has contributed to the complexity and does not stop these events happening.
In reality, this added complexity reduces the amount of people who actually understand more than their specific area or who can identify faults in a transaction when they occur. This dynamic will not change, and product complexity and volumes are likely to increase steadily for the next 20 years, as they have done in the past.
Banks need to look for an alternative approach. Other industries have tools to monitor their activities. Airlines, for example, do not loose track of their planes, or advertise fictitious flights. Nuclear power stations know how much energy is being generated at all stages of the process. Even supermarkets are aware of how many cans of beans they have on their shelves.
A change in approach and culture is required in banks’ control management. Managers should demand to see a comprehensive view of what is happening across the company, so everyone understands the end-to-end process. They need visibility across disparate IT systems and across thousands of geographically distributed staff activities.
Like airlines, management teams in banks needs real time information to give them a holistic view of their operations, with IT systems that enable communications between departments, while highlighting risks and controls.
One thing that has changed in the last 20 years is habits of communication. We are all used to communicating online with people across the globe, so geographically distributed operations need not be an issue. This much needed window for management can be made through a web-based technology, which consolidates information to generate a running commentary on the status of their operations and controls.
Some of the controls for SocGen have been offshored to India and are most likely efficient and consistent with the rest of the organisation. However, this does not mean that the managers in Paris can see if staff in India are under pressure and carrying out all the processes correctly. It’s possible that the teams were trying to manage their work beyond their reasonable capacity like a ship loaded so heavily it sinks below the Plimsoll line.
More understanding of end-to-end operational processes by everyone involved is paramount. This includes increasing the levels of understanding of traders in the front office.
A large proportion of banks errors and losses are caused by trader input error. Many of these would be prevented by a better understanding of operational processes. Traders need to understand the significance of trade input and regulatory requirements. Business managers in the front office need to be able to understand the dynamics of their business and manage it as a business with full transparency across all parts of the activities they are responsible for.
Jennifer Moodie is head of operational risk at Business Control Solutions (BCS), based at the company’s London headquarters. She is responsible for the development of the CTRL+ Operational Risk Methodology and expanding the BCS Operational Risk practice. Moodie also initiated and coordinates the Operational Risk in Investment Bank Operations (ORIBO) forum.