Frankly Speaking: Management sabotaged IT at Societe Generale

Frankly Speaking for Monday, Feb. 11, 2008

The mess at Société Générale is still unraveling. The big French bank took a $7 billion loss last month because of a rogue trader, and government investigators are continuing to spot new problems in the bank's story that it was all the fault of one greedy computer-genius financial trader gone wrong.

Think this has nothing to do with corporate IT? Think again.

Sure, there's an obvious IT security angle, at least according to the bank's version. Trader Jerome Kerviel "misappropriated the IT access codes belonging to operators in order to cancel certain operations," says the bank's official explanation of what happened. That means Kerviel stole some passwords.

But dig deeper, and you'll find something more disturbing. Kerviel started at Société Générale in 2000 and then spent five years doing back-office work. So he knew the bank's procedures and controls for traders inside and out -- including everything about the daily trading reports that had to be reconciled.

In 2005, Kerviel became an arbitrage trader himself. His job was to buy a portfolio of futures options and at the same time sell a similar portfolio worth a little more. With a small profit on every trade, the job involved making a huge number of trades.

Kerviel really did make the buys. But he faked some of the sales -- to the tune of $73 billion, which is more than the bank was worth. Kerviel was betting he'd get a higher price later. He was wrong. He was caught just as the market started to fall. Selling those futures at a loss is what cost Société Générale $7 billion.

How did Kerviel get $73 billion in the hole? He's no computer genius. But he knew how the controls worked. And he knew they were designed to prevent traders from stealing from the bank, not to stop cheating that might score bigger profits.

So he knew which transactions would be checked closely, and how they'd be checked. He knew how to fake transactions and how to make those transactions look innocuous.

And, Kerviel told government investigators, he knew that other traders were routinely cheating in similar ways and that management ignored it as long as the results were profitable in the end.

No such cheating by other Société Générale traders has been reported. But it turns out that Kerviel had been red-flagged for suspicious trading before. He talked his way out of trouble, convincing managers that there was nothing wrong.

Disturbed yet? You should be.

In IT, we think of implementing controls as our job, whether they're for financial traders or Sarbanes-Oxley or HIPAA or anything else. We spec out the software, we secure the systems, we manage the operations. And we tear our hair out when someone steals a password or exploits a security hole. We take it seriously. We take it personally.

And the people we're working for? They don't. At least, some of them don't.

We don't make the financial and Sarb-Ox and HIPAA rules. They've been handed to us to implement. We've done that. And the same management that dictated the what and how of those controls is, in too many organizations, fully prepared to sabotage them.

Systems are composed of technology and users. We've always assumed that if management told us to build a system, we'd manage the technology and they'd manage the users.

What should IT people do when "management support" for a project means a budget plus a desire for the project not to work as intended? I don't have an answer for that.

But thanks to Société Générale, we know what the results will be.