Managing Bank Operations Risk

by : Stanley Epstein

So we have had another massive loss at a major bank. The unfolding Société Générale loss may be the biggest (so far), but it is neither the first not the last. Jerome Kerviel seems set to join a notorious band of rogue traders such as Nick Leeson and Toshihide Iguchi.

And the funny thing is that despite all the hand wringing and accusations leveled at its newly exposed rogue trader, the management of Société Générale fails to see where the real blame truly lies. Put simply – on it’s own doorstep.

As the evidence of this massive loss and its underlying circumstances begins to emerge one thing is eminently clear. The whole debacle can be blamed squarely on the failure of Société Générale’s Board and its Senior Management to take its operations risk management obligations seriously.

Already, within days of the loss being discovered an abundance of anecdotal evidence has begun to emerge. Let’s look at a few of these;

  • “The … bank said that it tried on several occasions to make Mr. Kerviel take a few weeks off, but that it ultimately went along with his excuses for staying at work" (
  • “The prosecutor also said that Mr. Kerviel admits to disregarding Société Générale’s trading rules but says others also flouted limits designed to contain risks to the bank". (Wall Street Journal – January 29, 2008).
  • “… was the IT drawbridge properly raised when he made his move out of the back-office and onto the trading desk in 2005? Clear segregation of back-office and front-office activities was one of the clearest lessons to emerge from the rogue-trading scandal at Barings Bank in 1995; at SocGen, those lines seem to have blurred." (
  • “Eurex, the futures exchange of Deutsche Börse, questioned the trading position of Mr. Kerviel last November." (Wall Street Journal – January 29, 2008).
  • “Veterans of the futures markets are baffled about how Mr Kerviel got away with building up such a big position unnoticed." (

And yet initially Société Générale painted themselves as the hapless victim of a canny and malicious fraudster who ruthlessly overrode all controls, so carefully designed to trap his ilk.

And all this points squarely at a massive management failure in the operational risk arena.?

Basel II [1], which the European banking industry has spent the last half decade preparing for and which officially came into effect in the EU on 1st January 2008, is the current standard of best practice for management of operational risk.

The Basel II definition of operational risk is “… the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk."

Aside from the specific details of how capital is to be allocated against operational risk Basel II requires that apart from the “Basic Indicator Approach" (whose users are anyhow required to comply with “Sound Practices for the Management and Supervision of Operational Risk" standard of the BIS), those more sophisticated banks using either the “Standardized Approach" or the “Advanced Measurement Approaches" must satisfy its local banking supervisor that, as a minimum;

  • Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework,
  • It has an operational risk management system that is conceptually sound and is implemented with integrity, and
  • It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas.

If we look more closely at “Sound Practices for the Management and Supervision of Operational Risk" we have an outline prepared by the Risk Management Group of the Basel Committee on Banking Supervision, which sets out a series of principles that offer a framework for the effective management and supervision of operational risk, for use by banks and supervisory authorities when evaluating operational risk management policies and practices. The first three of these principles relates to the role and responsibilities of the directors and senior management of the bank regarding an appropriate operational risk management environment.? Principles 4 to 6 deal with the identification, assessment, monitoring, and the mitigation/control of operation risk while Principle 7 deals with the need for appropriate and effective Business Continuity.

Clearly on the basis of the emerging evidenceComputer Technology Articles, the parties who need to shoulder the blame in the Société Générale debacle seem to be eminently clear.

[1] Basel II: International Convergence of Capital Measurement and Capital Standards: a Revised Framework