The U.S. sub-prime mortgage crisis and the global economic problems that followed may or may not be responsible for creating conditions that led to the recent scandal at Soci??«t??« G??«n??«rale, France’s third largest bank.
Regardless, the mortgage crisis and the trading scandal at Soci??«t??« G??«n??«rale do have some similarities. In each, risk management and compliance issues seem to have been the culprit, and the question in each scenario is whether software or human error is to blame.
The trading scheme cooked up by rogue trader J??«r??me Kerviel caused Soci??«t??« G??«n??«rale to lose more than $7 billion in investor funds, the largest investor loss in France’s history. Rivals are circling the quarry as a potential acquisition target; Soci??«t??« G??«n??«rale’s chairman, Daniel Bouton, is on the verge of being ousted, and the French police have stormed the bank’s headquarters.
Could GRC (governance, risk and compliance) software have helped thwart these debacles?
Two fierce competitors in the enterprise applications space, Oracle and SAP, have spent millions to acquire companies-including I-flex, Interlace Systems, LogicalApps, and Business Objects-with GRC and risk mitigation technology, particularly for the financial services vertical.
According to financial service consultants and GRC vendors, while risk management systems are increasingly sophisticated, the systems are only as good as the people that run them.
Moreover, many financial institutions simply don’t have the organizational will to take GRC seriously.
“It’s a practical matter. The risk management process is one of lowering risk, not eliminating it,” said Richard Speer, CEO of Speer & Associates, a strategic planning and risk mitigation consulting company for the banking industry.
One risk manager with extensive experience at several large international banks offered a much blunter assessment. “It costs a lot of money to really implement these systems, and a lot of these firms are unable or unwilling to implement this level of control. And it’s not just systems, but teams of people running these systems and managers spending time doing the reviews,” the manager said. The manager spoke to eWEEK on condition of anonymity because he is not authorized to discuss these matters with the press.
Technology might have stopped Kerviel
According to this risk manager, provisioning software is one piece of technology that should have stopped Kerviel. He had been able to cover his tracks by gaining access to back-office functions and eliminating all traces of his activities until after the reports on trades had been generated for review.
“If he hadn’t been able to make amendments to his transactions on the back end, he could never have been able to do it on the front end,” the risk manager said. But he “retained some access he shouldn’t have had.”
Other kinds of software provide audit trails of any amendments made to back-office reports, so even with his illicit access, his maneuvers should have raised a flag.
Risk management software is continuing to gain in sophistication-for example, vendors are using artificial intelligence technology and sophisticated algorithms to assess transactions and patterns. But many companies have yet to develop mature risk processes.
“Most of the GRC software is designed for mainstream kinds of risk event analysis and are reasonably good. While they vary from platform to platform, data extracts are very reasonable. But they’re written by people and run by people,” said Speer.
Chris Capdevila, vice president of Application Strategy at Oracle, noted that GRC involves several pillars beyond technology: organizational, cultural and processes aimed at identifying, assessing and managing risk. “You’d be shocked at how few companies do that, even just do it on a regular basis,” said Capdevila.
The bank risk manager also noted that regulations are much more lax outside the United States, where not only the Sarbanes-Oxley Act obliges companies to prove that they have control over their processes. But in the cases of most regulated industries, self-regulating organizations like the National Association of Securities Dealers govern its members closely.
One U.S. rule that is not enforced elsewhere requires traders to take two consecutive weeks of vacation every year. This prevents them from unwinding or otherwise cloaking their positions by gaming the system. “No way that somebody who goes on vacation for two weeks could do what he was doing,” he said.
Capdevila noted that financial service organizations have usually been ahead of other businesses in implementing and maintaining GRC processes and systems because of the inherent risk in their business model.
“A lot of companies are dealing with organizational issues,” he said.
The risk manager noted ruefully, “Once you’re in compliance, you’re the enemy.”
(Additional reporting by Michael Hickins.)