The financial world is abuzz with what happened at Société Générale. Many among the professionals are surprised by the size of the loss but not at all by its possibility. Why ?

In the past 10 years the systems security has greatly improved: requirements on password composition, frequent renewal of passwords have done a great deal for that. A bit deeper a lot of things are logged, traced, recorded: phone conversations, e-mails, application use. Even deeper, applications support things like two person checks, roles, permissions to ensure that users are allowed to do only what they are supposed to and get appropriate approvals for this. I would not dare to contend that these protections and safeguards are completely foolproof but for most of the applications I know, hacking them is beyond the reach of a master in finance.

So what gives ? I will give a few examples.

If in a back-office the official procedure is to use cross checks to avoid errors (pairing in agile terms), what really happens most of the time is that operators will exchange their passwords to enable them to do the cross check alone. Why would someone do that ? Because otherwise everybody would have to be here all the time, for very long days, taking no vacations, not being sick.

In a front-office, as noted by some commenters, passwords are on yellow sticky notes inside drawers or underneath keyboards. Why would someone do that when they signed a paper saying they should not ? Because in many applications, other traders cannot act on each other’s trades. Or the procedure to be able to do so is too complex. Or one of them started a trade and it finalizes while he is out getting a cup of coffee. His colleagues naturally cover for him and breach those security checks to accommodate team work.

I will not pile on with users that have permissions they should not, permissions that are not timely maintained when a user changes role, the heavy use of excel for critical things, failures in systems and missing checks.

To simplify, back-offices are the production line and front-offices the sales/engineering force. I have not yet spoken of the risk control part because I have little experience in this area. Believe it or not, risk control has considerably matured and is now very important in many firms. It always hold veto power over the front-office. Unfortunately, without the back-office risk control is half blind (as the SocGen example shows). The sub prime crisis on the other shows that risk models have a hard time keeping-up with financial innovation.

So what is the point in this ?

A lot of ink was devoted to the idea that information systems were tricked to produce unreasonable exposure. The reality is that it is the actual (as opposed to written) processes of the bank that were taken advantage of. The point is that when people cannot work under the rules and procedures they bend them or they give up. Either way problems of this nature will happen. Empowering workers to make appropriate changes to the way they work increases productivity and quality (such as better operations reports in this case). This is the realization at the core of Kaisen in the Toyota production system, this is also the core of Agile methodologies.

This entry was posted on Wednesday, January 30th, 2008 at 4:42 am and is filed under Agile, Nag. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.