The financial services industry has been rocked by the crunch of faltering credit markets, massive layoffs and incidents where risk-management controls failed and traders lost billions for their companies. Not to mention the ominous threats from macroeconomic trends\u2014a looming recession, depressed corporate earnings, all-time-high oil prices and a slumping real estate market.\n\n\n MORE ON CIO.com\n \n Lessons from Societe Generale's Financial Fiasco\n \n CIO Movers and Shakers\n \n Taking Virtual Servers to the Next Level\n \n\nSuch was the daunting backdrop as Tom Sanzone quietly left his CIO role at Credit Suisse in late February and moved just down the street to competitor Merrill Lynch. When he starts in the second half of 2008, Sanzone's new title will be EVP and chief administrative officer, and he will report to Chairman and CEO John Thain. The title has been used before at Merrill Lynch, but never quite like this, says spokeswoman Selena Morris. \n\nThe 47-year-old Sanzone will be responsible for global client services and operations; technology applications development and infrastructure; business process and sourcing strategies; information security; and global real estate, purchasing and services. "This is the top technology role at Merrill Lynch," Morris says. \n\nBoth Merrill Lynch and Credit Suisse have had their share of internal and external economic angst during the past several months. Merrill Lynch posted an unprecedented fourth-quarter loss of $9.8 billion that led to a loss of $7.8 billion for the fiscal year. (In contrast, Merrill posted $7.5 billion in profits in 2006.) \n\nCredit Suisse fared better than Merrill did last fiscal year, but an unexpected write-down of $2.8 billion that the company reported on Feb. 19 left CEO Brady Dougan to explain what had happened. Dougan stated that an internal review had identified "mismarkings and pricing errors by a small number of traders in certain positions" in Credit Suisse's structured credit trading business. \n\nFresh on everyone's minds was the French bank Societe Generale's disclosure on Jan. 24 that one of its traders, Jerome Kerviel, had manipulated and evaded the bank's IT controls and had lost more than $7 billion in unauthorized bets. That mug-shot-like photo of Kerviel became the symbol of banks that were under economic siege and lacking robust risk-management controls. (For more on the French bank's nightmare, see "Lessons from Societe Generale's Financial Fiasco.") \n\nThere was no such "face" at Credit Suisse, though the Financial Times reported that Kareem Serageldin, Credit Suisse's recently appointed global head of collateralized debt obligations, was among those employees suspended after the internal review. \n\n"Even with today's announcement we feel we have actually managed our risk fairly well,'' CEO Dougan said on the Feb. 19 conference call. "We will always continue to focus on improving our risk-management practices and procedures...and that's what we need to do, clearly."\n\n\nSanzone's Final Days at Credit SuisseOn Feb. 29, Credit Suisse announced in a brief press release that Karl Landert, the former head of IT private banking, had been appointed the new chief information officer. Sanzone, according to the release, had "decided to pursue an opportunity outside the bank."\n\nAnd that was that. No mention was made of Sanzone's three-year tenure or his 10,000-strong IT team's contributions to the bank, such as the massive "One Bank" integration project, leading-edge virtualization work or the bank's Advanced Execution Services automated trading system (for which the company won a CIO 100 award in 2007). \n\nIn interviews with CIO and his other appearances in the media, Sanzone has always been even-keeled and humble. In accepting the 2007 "CIO of the Year" award from the Executive Council of New York, he said, "These awards are never won alone, and I have the good fortune of working with very talented people at Credit Suisse." \n\n"He is one of the more high-profile, longer-standing CIOs on Wall Street," says Marc Lewis, CEO of executive recruiter Leadership Capital Group (LCG). That was evidenced in Sanzone's seat on Credit Suisse's executive board, which is uncommon in financial services. "For Tom to be on the board was a compliment to him and somewhat of a rarity," Lewis says. \n\nWith all that was happening in Credit Suisse's boardroom, Sanzone's last week or so at Credit Suisse couldn't have been good. \n\nThe $2.8 billion write-down was expected to take $1 billion out of the company's first-quarter profits. Financial analysts had wanted assurances from CEO Dougan during the conference call that this was an isolated incident, that there were appropriate risk-management controls in place and that there would be no more surprises. \n\n"The big question mark is about the bank's control systems,'' said Allianz Global Investors' Stefan Raetzer, in a Bloomberg article on the day the news broke. "The write-down isn't as much of a problem here as the loss of confidence." \n\nAt this point, just what was IT's role, if there was any at all, in the context of the write-down and trading errors at Credit Suisse is unknown. (A call to Credit Suisse media relations wasn't returned. Merrill Lynch did not make Sanzone available for comment.) \n\nMerrill Lynch's new CEO obviously liked what he saw in Sanzone. In announcing Sanzone's hire, Thain praised his "years of industry experience in technology, operations and services" and that Sanzone could help Merrill Lynch "to align these critical functions with our business strategies globally." \n\n\nRisk Management on The StreetSanzone is going to need every ounce of his managerial skills and tech wisdom to deal with Merrill Lynch's current challenges. "There is still a lot of uncertainty ahead for Merrill," said Brad Hintz, a securities analyst at Sanford C. Bernstein & Co., in a New York Times article. \n\nThain, who became Merrill Lynch's CEO in December 2007, has called the most recent results "unacceptable." As reported in the Times article, one of the main areas that Thain has targeted is the company's reporting structure, which he said should be flattened to "reduce the siloing that has taken place at Merrill Lynch over the last few years." \n\nSilo busting is one area where Sanzone has experience. The "One Bank" multiyear integration program at Credit Suisse brought its three core businesses\u2014private banking, investment banking and asset management\u2014into one organization. "Those three businesses had been run independently, with very little interaction among them," Sanzone told McKinsey on IT. "As a result, their respective technology groups also had little interaction." \n\nIn addition, like other financial services companies, Sanzone will most likely have to engage in critical conversations with risk-management executives to determine just where IT controls can help. \n\nThe inaugural "Managing Information Technology Risk" survey by Ernst & Young found that global financial services companies have not effectively aligned IT risk management (ITRM) with their organization's overall risk-management strategy. Nearly 60 percent of the 150 risk-management and senior IT execs who responded said that their ITRM programs were not aligned or were just partially aligned with their organization's risk-management strategies and framework. \n\nIncidents like the Societe Generale and Credit Suisse cases, where apparent breakdowns in IT and risk-management controls caused billions in losses, highlight the need for a better union between business risk managers and IT risk managers. Scott Crawford, a security expert and research director at Enterprise Management Associates (EMA), says that up until very recently there's been "limited interaction" between the two groups. \n\n"The perception is that one doesn't really get the other," Crawford says. "The business risk managers feel that IT is speaking a different language, and IT feels business managers don't really understand the amount of IT-related exposure." In the Ernst & Young survey, nearly 40 percent of respondents said there was no common risk language that was broadly accepted and understood throughout their organizations, or they were uncertain whether one even existed. \n\nIn the Times article, Merrill Lynch CEO Thain "expressed a certain level of dismay" at the risks the company had taken to incur such hefty losses as of late. "They shouldn't be taking risks that wipe out the earnings of the entire firm," he said in the article, referring to the trading desk. \n\nCrawford notes that there's "always this delicate balancing act between taking advantage of new opportunities and doing an effective job of risk management." And just where IT fits in to that equation is what businesses have to reassess right now. \n\nSanzone won't start his new job until second half of 2008, so he'll have plenty of time to think about this issue. According to LCG's Lewis, the challenges that lie ahead and the expectations on his arrival will be monumental. \n\n"Merrill Lynch is a huge company with geographically based businesses and a political complexity that is at the highest levels of what you see in industry," says Lewis. "It will take an all-star CIO, like a Tom Sanzone, to be able to get his arms around the challenges. It's like wrestling with an octopus."