This story was updated in the May 1, 2008 issue of CIO magazine to include new reporting. Read the latest version of this story here.

It's a lethal combination of process oversights and system failures that is the stuff of CIO nightmares: An investigation into rogue trader Jerome Kerviel's fraudulent actions at Societe Generale bank uncovered an apparent break down in financial and internal IT controls subverted by an employee with IT know-how and authorized systems access.

The well-known tale of Kerviel's exploits, which led to more than $7 billion in losses for the bank, is serving as a wake-up call to businesses everywhere. "It's started the conversation around these issues," says Scott Crawford, a security expert and research director at Enterprise Management Associates. (EMA) And executives, he says, are now asking themselves, What can we do to ensure that the risk exposure of the business itself is managed effectively, in addition to what role IT should play?

Answering that question, however, isn't so easy. First, many executives don't have a good enough understanding of where their risks actually are, Crawford says, and therefore don't know where they need more robust controls.

This is compounded by that fact that some executives might not want to be made aware of their company's risks. "Once you know what your exposure is, you are no longer ignorant," Crawford says. "And if you choose not to mitigate a known risk or at least not address it, then the issue potentially becomes one of negligence." (Which is precisely why regulations like Sarbanes-Oxley require top execs to put their names on their company's financial documents.)

As a previous CIO article on the Societe Generale scandal notes, several former risk-control executives quoted in a Wall Street Journal article said that financial institutions of all types are notorious for weakening risk-management procedures when times are good and profits are flowing fast. The Journal article cites the "months of misery" endured at top U.S. banks and securities firms, which are being clobbered by the mortgage crisis, as evidence of such lax risk controls come to fruition.

In addition, even if executives are made aware of the risks, they have a tough time balancing the potential gains from a risky endeavor versus the potential losses, Crawford says. "There's always this delicate balancing act between taking advantage of opportunities and doing an effective job of IT risk management," he notes. "This notion of business risk exposure in IT still is a challenge particularly for the CIO but for the business as a whole."