Societe Generale scandal presents lessons in operational risk management

Diamond Management & Technology Consultants Report Stresses Firmwide Foundation of Internal Controls to Guard Against Fraud Risk

CHICAGO, Feb. 22, 2008 -- Lightning can, in fact, strike twice and banks that want to avoid being rocked by a Societe Generale-scale fraud incident need to move beyond stop-gap measures and build a culture of operational risk management.

A new report from Diamond Management & Technology Consultants, Inc. (Nasdaq: DTPI) examines facts that have emerged from the Societe Generale situation, and the probable causes of fraud point to deficiencies in operational risk management. While details are still surfacing, Societe Generale, or SocGen, appears to have lacked three essential ingredients in establishing a resilient operational risk environment: automated processes, an internal controls culture, and strong IT access controls.

Without these three elements in place, not even a 2,000-person risk division could stop a rogue trader, who is allegedly responsible for the loss of 4.9 billion euros at SocGen, the second-largest French bank.

"Initially, many institutions reacted to the SocGen incident by focusing on remediating the direct components of the fraud," said Linda Najim, a partner in Diamond's Financial Services practice. "Of course this is necessary, but if institutions hope to expose tomorrow's rogue traders, they will need to address the three underlying areas where it looks as if SocGen came up short.

"Optimistically, we hope the long-term legacy of the SocGen incident will be a more secure global banking system. But before that day comes, financial institutions need to respond to the SocGen situation by taking a more comprehensive approach toward managing operational risk -- beginning with a focus on building an internal controls culture that permeates the organization from top to bottom and across businesses."

Diamond's report, "Notes on a Scandal: Lessons in Operational Risk Management from Societe Generale," emphasizes that the elements SocGen seemingly lacked -- automated processes, an internal controls culture, and strong IT access controls -- are the primary components to an improved operational risk environment. Banks that grasp the business and technology details of these components will lead the pack in managing fraud risks.

To obtain a complete copy of the report, send an email to

Automated Processes

Leading banks with stronger controls have implemented technologies such as warning indicators on trading stations to notify the trader about gross and net limits before they are reached.

"We believe, however, that technology alone is insufficient; banks must also institute strong risk governance processes to prevent breaches," said Najim. For example, when faced with a trade limit violation, a risk officer could then provide additional control by reviewing the request in the context of governing guidelines, principles, and exposures to determine the correct course of action for the firm -- approval or denial.

The SocGen rogue trader allegedly used his knowledge of the bank's back-office systems to exploit the ability to cancel transactions before their settlement dates. In the absence of strong risk governance processes, a trader could fend off an institution's risk managers.

Controls Culture

Banks need a culture where internal controls are periodically reviewed and adjusted in response to evolving risks.

"In order to instill a proactive internal controls culture, financial institutions should act prudently but aggressively by reminding their supervisors of their responsibilities to uphold policies and compliance rules," said Najim. "Implementing systems that track supervisors' compliance with required tasks presents one possible solution in this area."

Strong IT Access Controls

Leading banks are also reviewing unnecessary access privileges of employees who transferred from the middle office.

"Unfortunately, in the absence of sophisticated access management solutions, banks have had to resort to manual reviews of unnecessary access privileges," said Najim. "Institutions that develop automated access and entitlement control systems will achieve greater security and efficiency."

Once access to IT systems is under control, the next challenge for institutions is to automate management of employee lifecycle events, such as transfers, ensuring that users only retain access to systems that are required for their new job functions.

Investing in a Legacy

In the report, Diamond recommends a broad, formal risk assessment. This evaluation will provide executive leadership with a precise understanding of the existing controls across the institution as well as opportunities to resolve potential fraud risks across the entire transaction value chain.

"A corporate culture that rewards vigilance against fraud should be rolled out -- and constantly reinforced," Najim said. "Overall, institutions that invest in a firmwide controls culture will have an opportunity to create and maintain their own legacy -- one of reliable management controls, trusted business relationships, and sustained profitability."

About Diamond

Diamond (Nasdaq: DTPI) is a management and technology consulting firm. Recognizing that information and technology shape market dynamics, Diamond's small teams of experts work across functional and organizational boundaries to develop new strategies, improve operations, and deliver results. Since the greatest value in a strategy, and its highest risk, resides in its implementation, Diamond also provides proven execution capabilities. We deliver three critical elements to every project: fact-based objectivity, spirited collaboration, and sustainable results. To learn more visit

DSS Home |  About Us |  Contact Us |  Site Index |  Subscribe | What's New
Please Tell 
Your Friends about DSSResources.COM Copyright © 1995-2021 by D. J. Power (see his home page). DSSResources.COMsm was maintained by Daniel J. Power. See disclaimer and privacy statement.