Protect Your Shop with Back-to-Basics Controls

SocGen Falls into a Familiar Hole: Protect Your Shop with Back-to-Basics Controls

Val Mulcahy, Carol McGinn. The RMA Journal. Philadelphia: Apr 2008. Vol. 90, Iss. 7; pg. 58, 7 pgs

Abstract (Summary)
Many smaller frauds have escaped the light of public scrutiny either because they fell below the hurdle of media interest, or because they resulted in profits, thus ensuring that the control weaknesses never saw the light of day. It's time for a back-to-basics commonsense approach to trading-room controls. The financial industry has become dazzled by the mathematics of trading, but has neglected to ensure that the rudimentary controls remain in place. At the heart of back to basics is segregation of duties (SOD), the mother of good internal controls. Presented is a back-to-basics punch list of internal controls, including SOD. The list includes: 1. small department/remote offices, 2. weak segregation duties, 3. new products launched without full review, 4. poor training of oversight staff, 5. aggressive or aberrant behavior, 6. absence of transparency/culture of opaqueness, 7. bonus pressures, and 8. culture of greed or arrogance.

Basic controls get results when institutions manage the complexity in modern financial products. At the heart of the basics is segregation of duties.

IT WAS SAD to see Société Générale, another mighty derivatives gladiator, trip over its own shoelaces and fall into a familiar hole in the road. In what may be perhaps the world's biggest financial fraud, this French institution announced that one of its junior traders, Jérôme Kerviel, ran up billions in losses, forcing the bank to raise more capital-and putting the institution's future in jeopardy.

The past decade is littered with celebrated war stories of ended careers and the occasional demise of an institution. The underlying story behind the following institutions' losses is their control failures.

Many smaller frauds have escaped the light of public scrutiny either because they fell below the hurdle of media interest, or because they resulted in profits, thus ensuring that the control weaknesses never saw the light of day.

It's time for a back-to-basics commonsense approach to trading-room controls. The financial industry has become dazzled by the mathematics of trading, but has neglected to ensure that the rudimentary controls remain in place. Institutions have shaped their controls around the mathematics of their sophisticated risk systems, rather than asking the obvious questions, such as:

? Is this person raising internal trades that have not been substantiated?

? Is this person writing trades with counterparties we can't see?

? What else is this trader doing that is flying under the radar of our mathematics?

Why is it, then, that the financial market players and overseers have failed in their jobs? Are the products too complex to be controlled by trained back-office staff? Are the wayward traders too clever? Not at all! The much- praised Corrigan Report on Counterparty Risk Management, issued in 2005, stressed that there is, indeed, complexity in modern financial products, but there remains a need for "time-honored basics of managerial competence, sound judgment, common sense, and disciplined corporate governance." Back to basics gets results.

At the heart of back to basics is segregation of duties (SOD), the mother of good internal controls. No sooner is a new financial scandal uncovered than the hunt begins to discover what element of SOD has broken within the organization. All of those companies that have fallen prey to deadly frauds-and the list is long-ignored basic SOD controls and, as a direct result, were ruined or severely wounded.

Back-to-Basics Punch List

What follows is a back-to-basics punch list of internal controls, including SOD. (These and other controls are discussed in the author's RMA course, Risk Mitigation Strategies for Trading Operations.)

Small Departments/ Remote Offices

Small, not big, is dangerous. Frauds are less usual in a bank's main office or in a department where supervisors and managers watch traders and office staff. But although they are less usual, they are not impossible. Barings blew up in its Singapore office and Daiwa in its New York office. Branch offices or small departments are most at risk, as these units often have less supervision and SOD. Controls tend not to be as tight. There is no second pair of eyes automatically scrutinizing the daily flows.

In the head office there are more people, and the responsibilities of each are outlined more clearly. Well-trained people in central oversight functions, if they are uneasy, should have the professionalism to "cry uncle" and initiate a "pause and reevaluation" of the subject product's operational risk hazards. It's a hard call, but necessary. The oversight and risk management units are accountable, too.

Weak Segregation of Duties

Société Générale (SocGen) disclosed that its trader had breached several firewalls and performed back-office style controls. That ability should be an absolute no-no in any organization. In the day-to-day rush, segregation-of-duty procedures may seem like a hindrance. However, the tone from top management must reinforce these standards and discipline any observed breaches. SOD is a non-negotiable control. Achieving a balance between excessive red tape and effective SOD takes time and requires the judgment of experienced operations managers.

In a small office, it can be difficult to segregate duties because there are not enough people to break down responsibilities. But even in a larger office where there is a slipshod SOD culture, people may not want to bother with the red tape required to complete a transaction. They may know the manual requires certain steps, but they opt to "get this deal out tonight." Or, they may believe a new product can't wait for all of the necessary approvals because profits could be forgone in the fast-moving market. They glide over the traditional segregation of duties.

Segregation of duties must apply to all personnel, especially now that the middle office is increasingly managing derivatives. Critical legacy back-office controls can be subverted by an ill-defined middle office. More staff with highly specialized skills-quantitative, credit, legal, and product knowledge-are working in the middle offices. It is inevitable that there will be high-energy "can do" folks, and that is good for customer service. However, the middle office is a tool of the support function, not a lackey of the trader function. That distinction must be reviewed regularly to ensure the middle-office staff does not act as surrogate traders. They are an integral part of the SOD, and their role is to keep in check the power of the trader. They deserve a higher pay grade than those performing routine operational functions, but they must exercise extra scrutiny. Middle office must not see its role as circumventing legacy operational controls.

New Products Launched Without Full Review

Institutions often try to work around the new product review. Some institutions lack a culture that requires it, while others don't adhere to the reviews. They launch a product and announce it will achieve certain goals. The goals aren't achieved, and the systems the institution hopes to have in place before getting to the next level aren't there. For instance, a pilot project might be approved that permits the back office to manually keep the accounting and risk records while traders do no more than a set limit of trades per month. However, if the product is successful, traders start overtrading, and high volume and proper oversight become a problem on a manual system.

The New Products Committee must perform a follow- up review to make sure systems are in place to accommodate the trades.

That new-product review did not take place at Kidder Peabody when it introduced its forward-dated zero coupon strips. Kidder's accounting system couldn't account for immediate delivery zero coupon securities, and basically the wheels fell off the accounting system.

New products are an important component of a successful trading shop. The challenge is to ensure that all departments, including operations, audit, compliance, credit risk, market risk, and finance, review each new product proposal and express their concerns-even to the point of veto. Even after a product is approved, it must be funded and held to its target performance milestones. Inadequacy of funding or below-par performance must trigger suspension of the new-product authorization until it is corrected. SocGen has not yet said if and when Kerviel's business passed this process.

It can be easy for financial institutions to get seduced by large profits. Staff at all levels of the governance chain may not stop and question the commonsense improbability of the rogue trader's spectacular profits. Baring Brothers, for instance, knew it wanted to get into equities trading in the Far East. Barings had one trader in that region producing incredible profits supposedly out of the low-risk arbitrage of two exchanges in Asia. In fact someone doing some due diligence would have discovered that the huge profits didn't make sense in the declared business model. It's important for managers to question where those profits are coming from and how they are being generated from the lines of business.

Again, a breakeven performance when the whole marketis declining may be a red flag. In Daiwa, for instance, the rogue trader didn't show any losses, although traders everywhere else seemed to have losses for some quarters or even years. That was extraordinary. It was the smoke signal his managers should have seen. When the bottom line is positive, it's hard to ask where the money comes from. Often the trader will claim some secret model that no one can understand as his reason for making money, so his managers stop questioning his tactics. When the auditor timidly raises a red flag or a customer raises a question, as was the case in Société Générale, a trader will hide behind his profits.

Poor Training of Oversight Staff

There's a frantic pace on the trading floor, and new tasks are introduced constantly. Managers must juggle their staff turnover and ensure new staff members receive sufficient training. The key is to staff for excellence. No control protects you better than alert control staff brave enough to raise their hands when in doubt. Recruit, train, motivate, and reward with that goal in mind, and do all that you can to limit turnover. Training should be broad, encompassing the full life cycle of a particular product. It should not be just a quick review with a trader or other back-office personnel for a few hours.

Self-assessment risk reviews are a tremendous tool for staff training. In a self-assessment, you ask all the back-to-basics, dumb questions: Where does the profit come from for that product? There must be a plain English explanation of the business model and the associated risks. It must be communicated to all support and oversight areas. It must be widely understood and accepted. If we know where a profit comes from and we've analyzed it well, then it's easy to see all the risk points.

Self-assessment forces everybody in the support and risk oversight departments to see all the mechanical steps that go into making the profit on a product and to understand the risks that arise from that transaction. Define each risk point and devise an effective control for it. Then use a checklist to determine who is checking this risk and how often and whether they've been properly trained to check it. This knowledge base motivates support staff and encourages the brave to ask the awkward questions.

Aggressive or Aberrant Behavior

The hostile, bullying, harassing, uncommunicative, cliquey, or dishonest trader is often at the center of a fraud. The rogue trader will try to override legitimate controls. Such behavior must be disciplined immediately, and the offender should be dismissed if coaching fails. In addition, further discreet audit reviews of their function should be initiated immediately.

Approaching, coaching, or disciplining a high-performing bully trader may be impossible, even for a senior operations manager. Often, the rogue trader is a bully who overpowers the auditor or oversight officers. By sheer force of temperament, the bully trader can browbeat people into believing his actions are legitimate. The key is not to become embattled. Calmly document and elevate to a level above you so that the bank is well aware of the risks you see.

Neither SocGen's Kerviel nor the trader at Daiwa were bullies, but their work pattern was suspicious. The behavior of both traders should have given cause for special, albeit discreet, audit reviews. The "overworked /too busy to take a vacation" accusation is a tough call in practice. Some trading jobs are hugely time consuming. Options traders are notorious for arduous rebalancing of their books and prolonged back-testing of scenarios. However, only men and women, not accounting records, perpetrate frauds.

Management's role is to keep the rogue trader in check. Top management must set the tone that auditing, compliance, and oversight functions are essential parts of the institution's corporate governance. Even if a trader is making money, he may not be the trader the bank wants. It may be that the trader is making money because he has bullied everybody and they are covering up something. Management must confront the trader when smoke signals appear.

Absence of Transparency/Culture of Opaqueness

Transparency is an environment, not a procedure. Whenever you find opaqueness in an organization, you will find problems. We all dislike revealing our missteps and uncertainties, but secretive management eventually suffocates upward communication channels. Once a product is on the books, there must be full transparency. Risk records and ledgers must be subject to the full rigors of SOD and external confirmation not be kept by one person or front-office staff. Records and performance pertaining to that product should be open to all oversight functions. Mistakes, errors, and most important the "awkward questions" must be investigated and documented and remedial actions taken.

Not only the trader but also the whole organization may foster a culture of secrecy. For example, Credit Suisse, when it was caught in its Chiasso branch losses, didn't disclose its losses. After all, confidentiality is the hallmark of Swiss bank accounts. So when the Chiasso branch manager created a completely fictitious portfolio of investments and set of accompanying books, branch management just told auditors they could not inspect the books. That answer was accepted within the culture. Even when the losses emerged, there was a delay in candor with the regulators. In Daiwa's case, the U.S. Federal Reserve was incensed by the failure of openness. SocGen raises the question again.

If the directors or the senior officers set a secretive tone, that culture filters down and chokes off the channels of communication. It's like blocking a chimney stack, making it impossible for the smoke signals of fraud to be seen.

Bonus Pressures

Usually rogue credit officers and operations officers steal money, whereas traders defraud by inflating their bonus pool. Inordinate bonus payouts should trigger a discreet audit review. The process should review all the asset accounts associated with trading and ensure they have been externally verified, especially for unsettled trades.

It's not easy to ensure that bonuses are fair. Senior management must ask several questions: What profit did the trader make? What percentage will be paid out? What were the origins of the profits? Is it reasonable that Mr. A. or Ms. B. gets paid this bonus after having generated that income? Senior management must understand where that income is coming from before they set any bonus percentage.

Culture of Greed or Arrogance

Our industry holds performance as the highest, if not the only, criterion for success. Moderation in appetite and grace in winning are appreciated, but neither scores any points. Hence, greed and arrogance sometimes spin out of control.

Surely, however, Kerviel seems the opposite of this model. Another form of arrogance was at play. SocGen justifiably prided itself on the outstanding qualifications of its recruits and a heavy emphasis on the power of its mathematical risk control management. It may have been blind to the value of the more mundane control checks that were probably there for the taking.

Conclusion

The industry doesn't have a manual on war stories. Like bridge engineers, we have to look for the failures in past designs before we sign off on each new bridge. Conventional wisdom proclaims that thinking positively earns bigger bonuses than revisiting past failures, but we ignore war stories at our peril. We can't presume that no one will make the obvious billion-dollar mistake.

Segregation of duties and tight internal controls are key. We must ask:

? What are we making money from?

? What are our risks and operational procedures?

? Who's managing those procedures?

Every person in the department must be involved in that self-assessment because every risk should have someone responsible for monitoring it.

Nothing is new in the back-to-basics approach, but sometimes people lack the personal courage, trading experience, or seniority to enforce the basics. Or they may not be properly recognized and credited for raising questions. Don't shoot the messengers who bring bad news. When someone raises a question, it should not be brushed aside because the department is making a fortune. Encourage those who question why a trade happened. Somebody has to raise the question, and everyone should be prepared to say, "We made a mistake."
[Sidebar]
Risk Mitigation Strategies for Trading Operations
This one-day RMA course covers basic operational controls
By Carol McGinn
DESPITE THE GROWING complexity of capital markets, the well-understood, commonsense, and back-to-basics controls are still the most effective. Good control strategies, though uncomplicated, require you to be alert and diligent in your independent monitoring of your institution?s trading operations.
RMA?s one-day course covers basic operational controls and provides practical takeaways that you can immediately apply at your institution. The course also uses a series of case studies and examines the control failures in each so that you can apply lessons learned from these major operations failures.
Course instructor Val Mulcahy says case studies are an excellent teaching tool and ?provide key evidence of the similarities of weaknesses in the trail of war stories.? Two cases from the course illustrate this point vividly.
The first is the case of Nick Leeson, a 28-year-old trader working in the Singapore office of the British Barings Investment Bank in 1995. He lost money in a technical derivatives equity arbitrage business between Far East exchanges. To hide the losses, he began to enter fake and unauthorized trades over a two-year period. In the end, the scandal collapsed the centuries-old bank.
The RMA course covers the lessons learned from this case, including:
* The vital role of segregation of duties.
* The critical need for a culture of control awareness.
* The importance of new-product planning and ongoing control.
* The need for the head office to react to the ?oddball? smoke signals arising out of excessive cash movements to settle margin calls.
Allied Irish Bank?s debacle in 2000 is ?a spectacular litany of all that can go wrong,? says Mulcahy. The bank?s Baltimore office was too small to support the complex trading it permitted. Control staff were underqualified and undertrained, and traders and department heads were too arrogant and extravagant to oversee department staff. A laundry list of violations against just about every core control feature provides several lessons learned:
* Scrutiny is hard work. It means understanding the business, looking at events, asking questions, instituting action plans, and following up for results.
* Trade support and oversight department staff must have industry experience, and their training is paramount.
* Audit staff must be up to the challenge of the business.
* Daily profit and loss must be produced by finance/ operations independently of the traders.
* Reported data must be internally consistent.
* Trade confirmation must be independent and universally applied to all trades, even brokered trades.
* Aged confirmations must be reported to management for action.
"It's crucial to learn how to identify appropriate actions for avoiding control failures," says Mulcahy, "and to develop plans to mitigate persistent operational losses. This course addresses those issues from every perspective, whether you're middle-market trading staff, compliance personnel, or capital markets."
With his background, Mulcahy is uniquely qualified to speak to each of these perspectives. He has more than 25 years' experience in challenging chief financial officer and chief operating officer roles in both the United States and Europe. He has held senior financial and risk management positions at several institutions, including Bank of America, BankBoston, Chase Manhattan, and Chemical Bank, as well as international banks, U.S. securities dealers, a life insurance company, and a major CPA firm.

Mulcahy has in-depth operational expertise in all major domestic and international capital markets products, including U.S. equity and fixed-income securities underwriting and trading, swaps, options, derivatives, foreign exchange, and asset-backed securitizations.
Risk Mitigation Strategies for Trading Operations will be held June 17, 2008, in New York. For more information or to register, contact RMA Customer Care at 800-677-7621.