Societe Generale Disaster Puts Risk Management Up Front

We haven't heard the last of the trading scandal that cost Société Générale about $7.5 billion, as U.K. regulators last week urged banks to tighten their defenses against unauthorized trading, and French authorities detained a second trader in relation to the case. For IT teams, the question that shouldn't go away is whether they have the risk management practices in place to prevent similar insider problems.

The Financial Services Authority, which regulates U.K. financial markets, last week urged banks to improve their controls. The FSA said companies should review their access controls and implement practices such as making sure duties and system-access are segregated enough to limit potential for malicious activity by one unauthorized user. Traders shouldn't have system access beyond their mandates, FSA said, and companies should make sure front-office employees aren't logging on from back-office computers. The FSA encourages separating front-office staff from back-office functions.

It's the kind of IT and process advice that's simple in concept but difficult to maintain, as Société Générale's problems show. Jerome Kerviel, 31, is accused of stealing computer passwords, sending fake e-mail messages, and illegally accessing the bank's computer system to exceed trading limits and cover up his actions. He allegedly bought futures contracts but ignored requirements to offset them with countervailing buys. In a report last month, Société Générale said Kerviel gained unauthorized computer access and forged documents that made it look like he had offset the purchases, circumventing risk controls.

Investigators are still figuring out exactly how Kerviel circumvented controls, such as whether he logged into IT systems as someone else or used knowledge from his work as a back-office employee before becoming a trader. His lawyers have said he's being made a scapegoat for common practices. French police last week detained a colleague of Kerviel's, a broker at a another division, after a raid at the bank's headquarters, the Financial Times reports.

TECH ISN'T THE ANSWER

In some ways, the FSA recommendations spotlight the limits of technology's role, putting heavy emphasis on culture and focusing on policies such as requiring traders to take their vacation time, so they can't keep watch over their cooked trading books.

But problems like Société Générale's can reveal how many businesses don't recognize a big enough role for IT in business risk management, says Scott Crawford, of the analyst firm Enterprise Management Associates. The firm's recent survey of 200 business and IT pros finds only 31% of companies measure the financial impact of information security incidents. "Many executives see the management of risk in IT as a secondary issue in business risk management," Crawford says.

But as an increasingly tech-savvy workforce enters the business world, IT risk management should grow in importance, Crawford says, since more people have the skills to get around weak IT systems. Areas of focus should include: provisioning, identity management, access control and audits, access activity monitoring and alerts, data loss prevention, data warehousing of risk events in IT, and governance. Lowering risk, though, will take knocking down the distinctions that persist between business and IT risk management disciplines, Crawford says.

At the FSA, Sally Dewar, managing director of wholesale and institutional markets, said in a statement that many London firms are actively assessing the effectiveness of their controls. But she raised the specter that today's market conditions increase the risk--since it's all the more likely a trader will face losses they might want to cover up--and urges companies to "remain vigilant."