Technology might have stopped Kerviel
According to this risk manager, provisioning software is one piece of technology that should have stopped Kerviel. He had been able to cover his tracks by gaining access to back-office functions and eliminating all traces of his activities until after the reports on trades had been generated for review. "If he hadn't been able to make amendments to his transactions on the back end, he could never have been able to do it on the front end," the risk manager said. But he "retained some access he shouldn't have had."Risk management software is continuing to gain in sophistication-for example, vendors are using artificial intelligence technology and sophisticated algorithms to assess transactions and patterns. But many companies have yet to develop mature risk processes. "Most of the GRC software is designed for mainstream kinds of risk event analysis and are reasonably good. While they vary from platform to platform, data extracts are very reasonable. But they're written by people and run by people," said Speer. Chris Capdevila, vice president of Application Strategy at Oracle, noted that GRC involves several pillars beyond technology: organizational, cultural and processes aimed at identifying, assessing and managing risk. "You'd be shocked at how few companies do that, even just do it on a regular basis," said Capdevila. The bank risk manager also noted that regulations are much more lax outside the United States, where not only the Sarbanes-Oxley Act obliges companies to prove that they have control over their processes. But in the cases of most regulated industries, self-regulating organizations like the National Association of Securities Dealers govern its members closely. One U.S. rule that is not enforced elsewhere requires traders to take two consecutive weeks of vacation every year. This prevents them from unwinding or otherwise cloaking their positions by gaming the system. "No way that somebody who goes on vacation for two weeks could do what he was doing," he said. Capdevila noted that financial service organizations have usually been ahead of other businesses in implementing and maintaining GRC processes and systems because of the inherent risk in their business model. "A lot of companies are dealing with organizational issues," he said. The risk manager noted ruefully, "Once you're in compliance, you're the enemy." (Additional reporting by Michael Hickins.)
Other kinds of software provide audit trails of any amendments made to back-office reports, so even with his illicit access, his maneuvers should have raised a flag.