Exchange Ideas

Systems Risk

"Systems Risk" is in the position that Operational Risk was a decade ago (pre Basel II) in that everyone knows that Information Technology is a major issue in Financial Services but the industry has not found satisfactory ways of analysing and measuring the associated risks. Many business surveys point to IT being of vital interest to Boards and senior management, but we (the IT profession) keep screwing up - I would argue because, in part, neither the IT function nor business has yet learned how to manage risk.

 

« Ghosts of New Year's Past | Main | 4 Scenes from a Scandal »

February 29, 2008

Shut that Stable Door!

On 28th February, MF Global announced a $141.5 million bad debt provision as a result of losses incurred by unauthorized trading activities in the wheat futures market, by one of its employees - Evan Dooley.

The CEO of the company blamed the losses on "a failure in one of the company's retail order entry systems [which] permitted [Dooley] to establish significant positions in his own account".

DOH - the "system failed"!

More likely is that, yet again, a trader has found away to hide authorized trading because of deficiencies (not failures) in a firm's systems?

MF Global (formerly Man Financial) is the largest broker of exchange-traded futures and options in the world. Man certainly knows the agricultural commodities business having been established in 1783 in London as a sugar broker. For 200 years, it focused on agricultural commodities before diversifying into financial markets, following the Big Bang deregulation of the London financial markets in the mid 1980s. MF Global, one of the two main divisions of the Man Group, has expanded globally with offices in twelve major financial centers around the world.

So no excuses then for lack of market knowledge and experience.

Interestingly, the company issued a statement stating "it has made the appropriate adjustments to its order entry systems to prevent a recurrence of unauthorized trading of this type in the future". This was done less than 24 hours after the "unauthorized trading" was detected and raises the obvious question, why wasn't the stable door shut before?

Why did the problem occur just now, when the potential for losses was obviously there all along?

The answer is that the market for wheat has been exceedingly volatile in the last few months, having risen by 32% this year alone, driven by fears of demand exceeding supply. The date of the announcement showed the largest swing in the history of Chicago Board of Trade (CBOT) wheat futures. Obviously Mr. Dooley was betting the wrong way, on commodity prices and/or volatility.

This, of course, has echoes in the Societe Generale (SOCGEN) case, where Jerome Kerviel made a huge loss betting the wrong way in very volatile markets - equity derivatives. [Here too systems, not failures in control processes, are being blamed].

The same signs of systems deficiencies were apparent in the AIB FX trading scandal and the National Australia Bank (NAB) FX Options trading losses, where systems controls were bypassed, systems reports were suppressed, and critical data was manipulated.

Good systems are critical to ensuring that risk management controls are effective. If a critical report is missing or easily manipulated by clever users, it is not difficult to hide unauthorized activities.

If basic data entry controls can be circumvented (by false passwords) or by permitting users to change or delete data, without review, it is easy to hide fake transactions. If transactions can be entered into systems with dubious data (such as 'unknown' clients in SOCGEN) it is easy to hide unprofitable positions. If it is possible to enter transactions into systems that make no economic sense, such as deep 'out of the money' options, it is possible to bypass risk management controls. If there is a user-developed spreadsheet in the mix, red flags should be raised.

Systems professionals respond that they merely build the systems that users request and that they are "only following orders". However, in the past, this argument has failed to save the systems developers who became cannon fodder when the time came to sack staff in the aftermath of a risk management failure.

This is not rocket science. While innovative products, especially derivatives, are complex and difficult for systems-trained staff to understand fully, there is a set of well-known systems controls that should be built into all process flows, such as controls on data entry/ modification, independent transaction review/ confirmation, independent data sources for valuation, etc.

If the answer is so obvious, why is it not done?

One reason is that there is little or no specific risk management of systems development and maintenance.

There are well-established risk management activities in the areas of security (e.g. systems access) and business continuity planning (BCP) but there is little in the way of risk management in areas such as systems selection, implementation, development and maintenance.

MF Global and SOCGEN are, yet again, examples of Operational Risk. Since Systems Risk is one of the four dimensions of Operational Risk identified by Basel II, there is need for Op. Risk professionals to learn lessons from these cases to help plan for mitigating these risks in their own institutions.

The benefits are obvious; it should be noted that the 'bad debt provision' announced by MF Global would have almost wiped out the firm's prior year's profit!

Cases, such as MF Global, provide excellent business reasons for improving Operational and Systems risk management.

Posted by pjmcconnell at February 29, 2008 12:01 AM

Comments

I would agree, the products, markets, pricing and strategies of some of these derivatives are extremely complex but the workflow of transaction is less so and much more standardised � The controls need to sit around the process flows.

To this day I still don't "get it" why this appears to be overlooked each time.

For example : Why doesn't anyone track margin positions on a daily basis? The variation margin is not collateral at the end of the day but offsetting of differences in the current price compared to the pervious days price against the exercise value of the contract. If there are continual calls for margin top up surely that is a sign the bank is holding onto something that the market is going against.

Posted by: Martin Davies at February 29, 2008 04:07 AM

IT systems are almost an afterthought and real controls practicaly nonexistant. I worked for a bank where the trading system log files printed out the login name AND password for all users to a plain text file everytime traders logged in. Any of the several dozen people with access to the system could have logged in and made trades as they pleased. It took me over a year to get this addressed. It was not even my responsability and never turned up in security audits which focus on keeping external hackers outside the banks core systems. Until regulators require rigorous third party audits of IT systems with bonding and liability like financial audits there is no way these problems will go away.

Posted by: Joseph Owens at May 16, 2008 07:42 PM

Post a comment




Remember Me?

(you may use HTML tags for style)

What can I do with PRMIA online?