Wednesday, January 30, 2008

Societe Generale .. messed up information security controls

They say that they have SIX levels of controls.... so were the controls working ? or were they drunk (or disabled to allow easy access) for over a year.

And what were the auditors doing !
And the managers to whom M Kerviel reported.

Obviously Societe Generale team has no clue about the concept of Segregation of Duties, or Identity Management at the first level. One would expect that SOD would be in place and responsibility levels would be established. There seems to be no limit on the transaction value which an individual can transact and to top this sad state of affairs, there is no oversight on the actions of the trader.

The the spirit of Governance is sorely lacking in terms of communication, in terms of transparency since this is a public institution, in terms of (seemingly) witch hunting, in terms of absolving the Chairman of any responsibility in the affair. The basic tenet of good governance is that the bosses are responsible for EVERY MESS as much as they are responsible for every win, and that they have to know what is going on in the organization, especially when the risk is so high.

Incident Management sucks - their Communication plan is all messed up. Every statement has been made when their knee jerked. Statements do not seem to be backed by any investigation and just make allegations. Then there are mis-statements like the correction of the original amount of $ 7.1 bn being split into 5.1 from the trade and 2 from the sub-prime exposure.

Their reputation is already in the pits, and with these gaffes, they are just making themselves look sillier and sillier. If bank chairmen are such, I think I can do a better job

Risk Management ... does it exist outside their policy book ? They claim to have the most sophisticated risk management system, but does it exist in practice ? That is the catch and this is how it is everywhere. Policies are made along with loud noises but then what ? Does the policy move into practice and is the practice sustained, is the billion dollar question. Everyone wants to know how this works at SG and it is anyone's guess if these guys are going to share their sob story.

The jury is out on this ......... a trader is exposed for about $ 50+ bn which is enough to wipe out the bank. And NO ONE IN THE BANK KNOWS ! So does he not report to anyone. Are there no pay-outs or pay-ins which have to be entered into the books of account, no checks to issue, no payments to acknowledge - do we assume that he made the trade, then HE wrote up the books of account and then HE signed any check / voucher. In other words he (a junior trader) ran the bank department or HE was the department.

We do know that red flags were raised about his positions, so was his work put under review and was a limit set to his activities.

......... there is much much more here and it will be a great drama which will unfold over the next few days / weeks. We have the first statements from the 'rogue trader' and as he talks and as the police investigate at SG we shall see and hear a lot more.

The article on the BBC website is an interesting read. SocGen Unhedged, by Robert Peston

No comments: