An investigation into rogue trader Jerome Kerviel's fraudulent actions at Société Générale (SocGen) bank uncovered an apparent breakdown in financial and internal IT controls, subverted by an employee with IT know-how and authorised systems access.

The well-known tale of Kerviel's exploits, which led to more than £3.5bn in losses for the bank, is serving as a wake-up call to businesses everywhere.

"It's started the conversation around these issues," says Scott Crawford, a security expert and research director at Enterprise Management Associates (EMA). Executives are now asking themselves: "What can we do to ensure that the risk exposure of the business itself is managed effectively, in addition to what role IT should play? "

Answering that question, however, isn't so easy. First, many executives don't have sufficient understanding of where their risks actually are, Crawford says, and therefore don't know where they need more robust controls.

This is compounded by that fact that some executives might not want to be made aware of their company's risks. "Once you know what your exposure is, you are no longer ignorant," Crawford says. "And if you choose not to mitigate a known risk or at least not address it, then the issue potentially becomes one of negligence."

This is precisely why regulations like Sarbanes-Oxley require top executives to put their names on their company's financial documents.

Several former risk-control executives quoted in a Wall Street Journal article have said that financial institutions of all types are notorious for weakening risk-management procedures when times are good and profits are flowing fast. The WSJ article cites the "months of misery" endured at top US banks and securities firms, which are being clobbered by the mortgage crisis, as evidence of such lax risk controls come to fruition.

In addition, even if executives are made aware of the risks, they have a tough time balancing the potential gains from a risky endeavour versus the potential losses, Crawford says. "There's always this delicate balancing act between taking advantage of opportunities and doing an effective job of IT risk management," he notes. "This notion of business-risk exposure in IT still is a challenge particularly for the CIO but for the business as a whole."

One of Societe Generale's primary business lines is derivatives, Crawford notes, which is a financial instrument that allows traders to make contracts on a wide range of assets (such as equities, bonds or commodities) and attempts to reduce (or hedge) the financial risk for one party in the deal.

Trading derivatives, however, necessitates some aggressiveness and can be fraught with risk. The story of Nick Leeson, the rogue trader who brought down Barings Bank, has been cited often in this regard.

This could have been a stumbling block for Societe Generale. "Were they really as aware of the actual level of exposure as they should have been?" Crawford asks.

Lastly, up until very recently there's been "limited interaction" between business risk managers and IT risk managers, Crawford says. "The perception is that one doesn't really get the other," he says. "The business risk managers feel that IT is speaking a different language, and IT feels business managers don't really understand the amount of IT-related exposure."

How IT hurts and helps

That disconnect can be enormously destructive, as the Societe Generale incident shows.

"The Societe Generale case brings to the fore the fact that business risk can be directly exposed through IT," Crawford says. "Kerviel allegedly manipulated the IT controls on the business systems based on his mid-office experience and back-office [IT] knowledge and expertise."

An internal Societe Generale investigation on the incident found at least 75 red flags raised by accountants, risk-control and compliance officers over a two-year period. These alerts included "transactions that appeared to settle on a Saturday or trades where the counter-party was either not named or listed as 'pending' from June 2006 to January 2008," according to a report in The New York Times . The Societe Generale report said these transactions should have alerted managers to Mr Kerviel’s activities.

A striking graphical representation of Kerviel's exploits and Societe Generale's mis-steps put together by risk-management vendor SailPoint Technologies (with the help of EMA's Crawford) shows just how and where controls should have stopped Kerviel's activities.

For example, Kerviel was able to subvert systems access and privilege controls, allowing him to misappropriate names and passwords of his colleagues and mask his fraud, according to the SailPoint document.

"If at the top of an organisation there really is not adequate division between those who use and manage IT controls and those who are responsible for their supervision and ensuring they're not exploited, then controls may be ineffective," Crawford says.

Consequently, the SailPoint document points out, Societe Generale's "weak access controls and activity monitoring" left the bank to rely upon external events to reveal the ongoing fraud.

What IT should do

If there is anything good that can come out of Kerviel's alleged deviance and Societe Generale's apparent blindness to it is that the incident will spur executives to talk about risk management and IT controls inside their businesses.

That conversation can start off with something as simple as asking a series of what-if questions, Crawford says. These include:

  • Would you be able to recognise anomalies that would indicate you may have more risk exposure than you realise? Are there events taking place and are detectable in IT that would indicate you might be subject to an event of this nature? If so, what kind of anomalies would you be looking for?
  • Are entitlements and privileges for high-level and high-risk employees too broad? Do individual roles or individual users have entitlements that would basically negate adequate separation of duties? Is there adequate insight into that kind of activity? And how effective are the controls assuring that the separation of duties could be enforced?
  • What are the behaviour anomalies that would suggest you may be facing greater exposure? What is the risk that your control systems or indicators themselves may be subject to subversion? And what are ways you can enforce more effective controls and still be able to capitalise on new business opportunities?

"There are limits to what people can do, and there are limits to what technology can do," Crawford notes. However, there are many things businesses should look at immediately, such as the sharing of access privileges by high-level employees.

"The issue of the highly skilled professional who is familiar with [system] architecture, and particularly how to infiltrate it, is one the biggest risks highlighted in the Societe Generale case," he says.

In the end, it's critical that companies understand the trade-offs they're making and how much risk they're willing to allow in their companies.

"Businesses are just now beginning to awaken to the controls within the IT environment," Crawford says. "If you're betting the farm and strategy on the IT controls, it behoves the organisation to ensure that those controls are reasonably resistant to subversion."