What You Can Learn about Risk Management from Societe Generale
Weak IT access controls cost the French bank $7.2 billion. The case should prompt you to rethink how you balance IT security with employee access to critical systems.
Thu, April 17, 2008
CIO — It's a lethal combination of process oversights and system failures that is the stuff of CIO nightmares: An investigation into rogue trader Jérôme Kerviel's allegedly fraudulent actions at Société Générale bank uncovered an apparent breakdown in financial and internal IT controls subverted by an employee with IT know-how and authorized systems access.
The tale of Kerviel's exploits, which led to $7.2 billion in losses for one of France's largest banks, continues to unfold as French police probe the 31-year-old trader's transactions. On April 18, Société Générale named its former CFO, Frédéric Oudea, as CEO, replacing Daniel Bouton, who remains the bank's chairman. The company is also rumored to be a takeover target.
Meanwhile, IT experts say, the case should serve as a warning that businesses can do better to manage IT-related risk.
"Much time is spent on protecting the external threat," says J.R. Reagan, managing director and global solution leader for risk, compliance and security at BearingPoint. "But the internal threat can be even larger in terms of risk to the company." In the case of Société Générale, not only were IT security controls insufficient, but the bank's staff did not fully investigate red flags that arose. Recent research by the Ponemon Institute concludes that "insider threats represent one of the most significant information security risks." In a survey of 700 IT practitioners published by the group in February, 78 percent said they believe individuals have too much access to information that isn't pertinent to their jobs, while 59 percent said such access presents business risks. What's more, IT professionals see a disconnect with business leaders: 74 percent said senior management does not view governance of access to information as a strategic issue.
Many business executives don't know what their risks are and, even if they do, they may have a tough time balancing potential losses against potential gains, says Scott Crawford, a security expert and research director at Enterprise Management Associates. "There's always this delicate balancing act between taking advantage of opportunities and doing an effective job of IT risk management," he notes. "This notion of business risk exposure in IT still is a challenge particularly for the CIO but for the business as a whole."
The Société Générale case offers lessons for IT leaders in how to manage access-related risks.
Exploiting a Risky Business
One of Société Générale's primary business lines is derivatives—financial instruments that allow traders to make contracts on a wide range of assets (such as equities, bonds or commodities) and attempts to reduce (or hedge) the financial risk for one party in the deal. Trading derivatives, however, necessitates some aggressiveness and can be fraught with risk. (Think of the infamous story of Nick Leeson, a former derivatives trader whose unauthorized speculative trading led to the collapse of the United Kingdom's Barings Bank in 1995.)