Jérôme Kerviel, a 31 year-old banker at Soc Gen is blamed for losses of €4.9 billion incurred through rogue trades spanning over a period of some months.
The story has a remarkable similarity to Nick Leeson, the Original Rogue Trader who is blamed for the demise of Barings Bank in 1995. Unfortunately for Soc Gen, it seems the comparison extends as well to the general failure of controls and systemic failure of risk management processes. In Nick Leeson’s book (a very worthwhile read) he outlines the astonishing story of how easy it was to do the unthinkable and crater an unfillable hole in Barings’ balance sheet from a trading operation in Singapore without troubling internal controls and external auditors.
Jérôme was trading vanilla equity derivatives – the sort of things that haven’t been complicated for a long while now. Very similar (again) to the instruments used by Nick Leeson. Jérôme’s positions were supposed to be externally hedged. Soc Gen should not have been exposed to overall delta risk of the markets moving either way. The fact that this was possible, went on for several months, and managed to grow to a hole this size leads some to simply disbelieve the story. One regularly repeated story is that Soc Gen may have incurred higher than tolerable losses (Sub Prime is often the assumed cause here) and needed a scapegoat (answering to the name of Jérôme) to divert blame from senior management.
I have no information as to whether this is true or not and do not want to express an opinion on such a flammable topic!
Stand Up, Internal Audit & Risk Management
Internal Audit and Risk Management areas are often the poor second cousins of the fiancial services world. They have little of the glamour and large bonuses of traders and investment bankers. The “people who make the money” alternate between complaining about the restrictions placed upon them by risk management, and generally feeling superior in every way to the internal auditors.
However, there are many more stories (on all different scales) of internal audit and risk management functions not being strong enough, or following process too rigorously at the expense of truly searching for risks. In fairness to process, I can think of plenty of examples I’ve seen myself where the problems arose from not following process. Businesses need to find a way to ensure adequate protections and controls are in place, without stifling the busines goals of the company. This post is not a comprehensive treatment of what could have fixed the Soc Gen problems, and I’m fully aware of how much easier it is to find the solutions to past problems. Having said that, three general rules for risk management and internal audit that seem not to have been applied here:
- It seems that Jérôme’s verbal skills may have sidetracked earlier attempts to catch his unauthorised trades. Some hard-and-fast rules are required. No negotiation. You hit this limit, perform this action, make this error and the wheels turn. NASA’s shuttle tragedies have been partially blamed on management’s gung-ho attitude of ignoring engineering warnings. These rules must be made before specific circumstances arise. No exceptions. No special cases.
- Follow the cash. Jérôme had seemingly faked hedging positions. As he was needing to place variation margin (cash) up for his losses, there should have been hard cash coming on from the offsetting contract. Barings was flushing cash at Nick Leeson’s Singapore operation when half a thought would have raised alarm bells.
- Reluctance to take leave. Jérôme apparently hadn’t taken leave in 8 months and didn’t let other traders cover his positions. I know a story about a claims processor at an insurance company who hadn’t taken a day of leave in several years. Until he was so sick he was admitted to hospital. That was the day his colleagues figured out he had been paying fraudlent claims to himself for years. There are thousands examples like this. All internal auditors should have read case studies such as these.
The real story here extends far beyond Soc Gen’s borders, beyond Frances and beyond the investment banking world. Companies of every size are exposed to a range of risks, some identified and measured, others Black Swans waiting to make a first entrance.
Operational Risk, defined by the Basel committee as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”. These losses are an excellent (although extreme) example of op risk. Operational risk is more difficult to measure than many other types of risk. The actual events that give rise to the biggest risks are often unique. Past experience at Soc Gen would not have indicated that a risk of this type and magnitude were possible.
Before the Barings disaster, few would have imagined that such an event were possible. It would have been excluded from “reasonable” risk management discussions and measurements as too unlikely. After 1995, when many banks realised that there previous understanding of how badly things could go was wrong, better risk management systems and controls were implemented. From the responses of many in the industry, it appears as if everyone was again under the impression that this magnitude of risk couldn’t happen. Now, in a little over ten years, we’ve had two events of similar style and broadly comparable scale.
The real question isn’t when will something like this happen again. The question is what will be the next completely unexpected op risk event be?