Yet another financial scandal has highlighted the weaknesses of some organisations’ internal control. Are companies failing to learn lessons from the past? Or has the operating environment changed so much that it is making these lessons irrelevant?

The recent trading scandal at Société Générale emerged on the heels of a period of turmoil in the financial markets, with issues such as subprime lending and fair value contributing to the unease. As details of the losses incurred by Jérôme Kerviel, the alleged rogue trader working for Société Générale, continue to be sorted through, readers may recognise familiar themes from trading-related issues that affected Drexel Burnham Lambert in the 1980s, Barings Bank and most recently, Allied Irish Bank.

It is reasonable to assume that in the wake of these and other scandals, and under the pressure of regulations, financial institutions would have strengthened controls to mitigate the risk factors associated with trading-related activities. So why do we continue to see allegations of rogue trading? Have we not learned lessons from the past? Or has the operating environment changed to the point where historical mechanisms for managing risk are not fully adequate?

It is important to recognise what is new or different about the financial services' operating environment. We see this as evolving around five categories of change, which all have implications for risk management.

Change in five themes

COMPLEXITY Perhaps the most striking change in the trading environment is the complexity of the products being traded.

Trading floors still handle stocks and bonds and other straightforward financial instruments. However, financial innovation has introduced new, more sophisticated products such as collateralized debt obligations, where only a portion of risk is hedged, thus resulting in highly complex trades.

While complexity should not be used to excuse weak controls, significant complications occur when trying to control the risks inherent in trading complex financial instruments. As products become more difficult to understand, it can be easier for errors to be hidden. For example, John Rusnack, the Allied Irish trader who lost over $700m, used phoney option contracts to hide his losses in foreign exchange contracts involving the Japanese yen.

Just as organisations need to know their customers, companies need to know the products within their portfolio. All levels of the organisation need to understand the products they are selling, supporting and buying. Firms need to invest in both talent and training to keep pace with developments in the financial markets in which they trade.

TECHNOLOGY Technology has enabled greater speed, global access and more complex calculations. The downside is that it has created additional risk for the very same reasons. The large volume of transactions, together with the speed at which they are processed, mean that control failure is often identified after the fact. More sophisticated applications usually have more robust controls, but a knowledgeable user can circumvent them. As a practical matter, developing and implementing an efficient trading system requires proactive and committed front office participation as well.

Managers, in particular front office managers, need to understand the capabilities and limitations of the technology applications that support their business. As a minimum, front office supervisors should ensure that user access controls are defined and enforced and that system administration capabilities are restricted and reviewed frequently.

GLOBALISATION Markets are open around the world 24 hours a day. With advanced communication technology, traders can access markets from almost anywhere in the world. Greater access presents tremendous competitive opportunities, but also raises new challenges to mitigating risk.

Deals that are processed in different countries increase the risk of errors or fraud and reduce the risk of detection. For example, an equity-linked structured note financing deal might be made in New York and modified in London. The resulting documents will include trade tickets with external counterparties as well as inter-company transactions between different desks, thus creating a complex paper or electronic trail. Such convoluted trading deals increase the risk of errors, which further increases the likelihood of disputes over settlement terms and potential litigation.

Firms need to appreciate the implications of their participation in the rapid globalisation of the financial markets. Those with active complex global trading operations should require, as a minimum, frequent reconciliations across trading desks located in different jurisdictions.

Kerviel reportedly responded to some inquiries about his trading patterns by explaining that they were due to administrative errors over offsetting trades in Europe and the US. This reflects a challenge financial companies face – how to manage cross border trades in a global environment.

GOVERNANCE One of the key principles regarding the control of trading risk is the segregation of duties. Simply put, those executing trades should not be those confirming trades.

Nick Leeson, the derivatives trader who brought down Barings Bank, was allowed to settle his own trades. This critical violation of segregation made it difficult to detect the fraud he had committed. Leading financial services organisations have integrated a number of checks and balances. These include automation, clear policies and procedures, and an organisational hierarchy with defined roles and responsibilities from the board level through to the back office.

Rogue traders by nature are usually adept at manipulating these systems of checks and balances, and it is up to senior management to evaluate, both actively and constantly, the strengths of the firm's risk management processes. Sometimes however, even the most effective checks and balances are not enough if the culture of the company is not aligned with its objectives.

CULTURE Companies that focus on short term profitability may foster a culture where excessive gains are rewarded, without consideration for the risks that were taken to achieve those gains. Also, investing in risk management professionals and technology may appear difficult to justify in a financially successful environment. Even with a strong risk management function, senior management may believe that the pattern of business success is sustainable. We are reminded again and again that this is not true. As Harry Markowitz demonstrated with his 'efficient frontier' concept, generating higher returns involves taking higher risks. However, not all high risk pays off and can in fact yield low returns..

This is one of the reasons for banks placing limits on the size of trading positions. As we have seen, rogue traders such as Kerviel and Leeson violate these limits, often over a period of years. They and others frequently claim that violating limits is seen to be acceptable, and perhaps is even encouraged at their firm. In fact, it often seems that rogue traders are caught only after their trades go irreversibly bad.

Taking higher levels of risk should be reflected in the internal cost of capital used to asses those risky activities. One potential control on trading is to charge the trading desk for the capital it is using, based on the risk it is taking with that capital. For example, trading in high-grade commercial bonds with well capitalised institutions in developed countries should require a lower cost of capital than trading equity linked structured notes denominated in volatile currencies.

Trades that generate results outside the expected range should be examined thoroughly, including trading books that are unusually profitable. More importantly, such enquiries need to be accepted and absorbed into the culture of the trading floor.

Enterprise-wide oversight

Globalisation and technology can increase the transparency of trading decisions and behaviour, and these decisions and behaviours can be a source of great prestige or embarrassment. A firm's reputation can affect its ability to operate in certain jurisdictions, to attract new clients and to maintain and raise low-cost capital. So how can the leadership influence its internal dealings and external image?

As a minimum, the board should be aware of the range of consequences that could arise from the firm's strategy. In most financial institutions the board approves some form of risk policy, including high level limits on lending, investment and trading activity.

All boards should also be assessing the impact of new and more complex products and other changes in the global financial markets. Questions to be asked include: Does the firm have enough trained and competent people in the front, middle and back office to support these products? Are the firm's technology applications robust enough to support round the clock trading and settlement? Can 'red flags' be raised quickly enough and are there mechanisms in place to ensure they are acted on?

These questions should be asked of the business units as well as of the risk management functions.

The board should also evaluate the senior management team to determine if there is a robust commitment to risk management, and be prepared to make tough decisions based on their findings.

One way to assess the organisation's commitment to risk management is to review the exception reporting and corrective action tracking processes that cover trading limit violations. This is most effectively done by looking at how the business unit leaders as well as risk control deal with exceptions.

The board has a duty to understand the significant risks inherent in trading the firm's capital as well as the effectiveness of the system of controls designed to protect the capital at risk in its trading activities. But this cannot be achieved without the support of the internal audit department. Internal audit should provide assurance to the board that the controls over trading risk are: in place and appropriate, functioning as designed, and tested and signed off by appropriate individuals.

Internal audit should determine that competent people are performing these controls, particularly in the middle and back office. Processes should be in place to communicate policy exceptions and limit violations up the chain of command. Regular audits should determine whether prompt action is taken to correct exceptions and discipline violators. Audits should also determine whether or not technology platforms are adequate. In the wake of control failures, internal audit provides valuable assistance in assuring that the control environment not only mitigates risk but also provides a platform for reporting risk failures to the leadership.

And the future?

How does a rogue trader circumvent the sophisticated controls of a global financial institution? A challenging question, but one that should not be ignored. Managing risk is an iterative process aligning current and emerging changes in the organisation with new, improved or modified risk management strategies and tactics. Accordingly, risk management programmes need to be assessed and modernised continuously. If not, we will be reading again about more trading scandals.