The mess at Societe Generale is still unravelling. The big French bank took a $US7 billion loss last month because of a rogue trader, and government investigators are continuing to spot new problems in the bank's story that it was all the fault of one greedy computer genius, financial trader gone wrong. Think this has nothing to do with corporate IT? Think again.
Sure, there's an obvious IT security angle, at least according to the bank's version. Trader, Jerome Kerviel, "misappropriated the IT access codes belonging to operators in order to cancel certain operations," according to the bank's official explanation of what happened. That means Kerviel stole some passwords.
But dig deeper, and you'll find something more disturbing. Kerviel started at Societe Generale in 2000 and spent five years doing back-office work. So he knew the bank's procedures and controls for traders inside and out - including everything about the daily trading reports that had to be reconciled.
In 2005, Kerviel became an arbitrage trader himself. His job was to buy a portfolio of futures options and at the same time sell a similar portfolio worth a little more. With a small profit on every trade, the job involved making a huge number of trades. Kerviel really did make the buys. But he faked some of the sales - to the tune of $US73 billion, which is more than the bank was worth. Kerviel was betting he would get a higher price later. He was wrong. He was caught just as the market started to fall. Selling those futures at a loss is what cost Societe Generale $US7 billion. How did Kerviel get $US73 billion in the hole? He's no computer genius. But he knew how the controls worked.
And he knew they were designed to prevent traders from stealing from the bank, not to stop cheating that might score bigger profi ts.
So he knew which transactions would be checked closely, and how they'd be checked. He knew how to fake transactions and how to make those transactions look innocuous.
And, Kerviel told government investigators, he knew that other traders were routinely cheating in similar ways and that management ignored it as long as the results were profitable.
No such cheating by other Societe Generale traders has been reported. But it turns out that Kerviel had been red-flagged for suspicious trading before. He talked his way out of trouble, convincing managers there was nothing wrong. Disturbed yet? You should be.
In IT, we think of implementing controls as our job, whether they are for financial traders or Sarbanes-Oxley or anything else. We scope out the software, we secure the systems, we manage the operations. And we tear our hair out when someone steals a password or exploits a security hole. We take it seriously and personally. And the people we're working for? They don't. At least, some of them don't. We don't make the financial and Sarb-Ox rules. They've been handed to us to implement. We've done that. And the same management that dictated the what and how of those controls is, in too many organisations, fully prepared to sabotage them.
Systems are composed of technology and users. We've always assumed that if management told us to build a system, we'd manage the technology and they'd manage the users.
What should IT people do when "management support" for a project means a budget plus a desire for the project not to work as intended? I don't have an answer for that.
But thanks to Societe Generale, we know what the results will be.