Published in the IHT on February 1, 2008 (here)
SocGen: When Risk Management Fell Asleep at the Switch
Since the first story is seldom the whole story, it will take time and police work to get to the bottom of the 4.82 billion euros in financial trading losses racked up by the French bank Société Générale in unwinding unauthorized positions taken by a trader, Jérôme Kerviel.
Will Kerviel emerge as an evil genius disguised as a 30-something slacker? The ring leader of a clever gang of financial scamsters? Or, more likely, an average-to-dull employee who exploited the weaknesses of his employer's systems and the credulity of his overseers?
The answer to the question "How did he do it?" appears routine enough. Kerviel's exploits seem not very different from those of the wrong-way traders who have popped up like mushrooms in the back offices of trading institutions from Barings to Sumitomo to Allied Irish Bank to Penn Square.
The scenario is almost always the same: An early burst of irregular but winning trades, motivated by bonus envy or simple testosterone, later spirals the wrong way - briefly matched by a daisy chain of falsified counterdeals and an accelerating but ultimately futile concealment of old losses covered by new ones.
The more demanding question - "How did he get away with it?" - will become answerable only through SocGen's accountability to investigators; to President Nicolas Sarkozy of France, who is not amused; and to its shareholders.
Outside auditors have been summoned. But since there is no forensic process so banal as the after-the-fact sweeping of the dust off the wrong-doer's trail, the interesting question they will likely not address is this: "Where were the curious, persistent and demanding managers ahead of the wreck?"
It's too early to tell, but enough is knowable to suggest that a relative of Inspector Clouseau was seconded to the risk management and compliance function of the hapless bank.
My first and best mentor in the scrutiny of financial fraud made a point of extending his inquiry beyond the immediate problem. Called to investigate an irregularity in one corporate corner, he would search for other possible outbreaks. Instead of assuming a system to be foolproof, he would speculate about ways to stress-test it for vulnerabilities.
He had a first principle: Any system of recording and reporting transactions is suspect. As a product of human design and operation, it is vulnerable not only to simple error but also to deliberate subversion.
In the SocGen situation there are some basic risk management tools, implicated by Kerviel's apparent mode of operating.
First is the vacation rule: Everyone who processes transactions should be taken off his desk at intervals, so that a chain of successive falsifications, if one exists, can be discovered and broken. This has been an article of faith since long before it became the centerpiece of a landmark 1976 U.S. Supreme Court decision in the Hochfelder case. That case dealt with the right to sue under the securities laws, but it started as a dispute over the application of a simple tool in internal control: the realization that an employee who never takes a vacation may be hiding something.
A low-level French employee who declines to take his vacation entitlement is already an extraordinary anomaly, enough that Kerviel's superiors should have gone on immediate and full alert. As Kerviel himself acknowledged to French police investigators, "It's one of the elementary rules of internal control. A trader who doesn't take any days off is a trader who doesn't want to leave his book to another."
A second risk management premise is that you don't net positions before quantifying risk. The exposure in a portfolio with 50 billion euros of puts and 49 billion of calls is emphatically not limited to 1 billion. At least since the Continental Vending case in the 1960s, where criminality was charged over the improper offset of accounts receivable against payables before setting a reserve, "netting" has been recognized as a recipe for concealed disaster.
Especially in a trading environment, combining the ostensible effects of "buys" and "sells" subverts the very essence of safeguarding against the possibility that one leg or the other might somehow go wrong - or even, as here, be falsified altogether.
A third is that back-office compliance cannot be only a little bit broken. Whether Kerviel was known to take irregular trading positions as far back as 2005, as he says, or only starting in 2006, as the investigator suggests, either one indicates a tolerance at SocGen for a back-office error rate greater than zero. But as the effect of financial leverage in Kerviel's dealings makes clear, there is no such thing as small or controlled leakage in a commodities operation.
Back-office compliance does not work to the same margin of error as, say, audited financial statements, which need only be stated fairly within the broadly judgmental range of "materiality" - or, in laymen's terms, "close enough." For systems capable of going awry to the tune of billions of euros, that level of tolerance for error cannot pass a credibility test.
Finally, and indicative of the SocGen attitude of mind, is the report that Kerviel talked his way out of an external alert by producing falsified documents by way of excuse. Once the red flag is raised, going to the target himself for an explanation suggests a box-ticking mentality that is out of place in a compliance function.
"Rogue trader" is probably too colorful an epithet for Kerviel. For the functionaries in SocGen's risk management, "asleep at the switch" probably doesn't go far enough.
Comments