The kind of insider incidents pulled by Nick Leeson at Barings Bank and Jerome Kerviel at Societe Generale demonstrate how much risk is associated with those in such powerful positions. Both guys successfully bypassed sophisticated controls designed to limit their ability to take risky trading positions without proper authority, eventually causing eye-watering losses that nearly tipped over the global financial system's house of cards.
Big risk-related questions remain about this type of massive internal threat:
- How many more rogue traders are still out there, doing much the same thing today?
- Is it even sensible, let alone possible to draw the line between legitimate and illegitimate activities? Given that, how can the really dangerous rogues (*) be identified from star performers?
- How many people in other such powerful positions are rogues (*) working for themselves rather than their employers, with dubious ethics if not outright fraudsters?
- Which controls can truly be relied upon?
- Where are the control gaps and vulnerabilities and which controls are needed?
I certainly don't have all the answers but I do know that multi-level security awareness is part of the solution. The corporate snitchline, for instance, is a powerful control that only works if a number of conditions are met, most importantly that people are aware that they have responsibilities to themselves, their employer and to society to report suspicious and inappropriate activities.
* "Rogue" is not the right word really. It glamorizes fraud. It has connotations of the cheeky chappy, the wide-boy, someone who is a bit of a trickster but is lovable and has a heart of gold. In reality, their hearts aren't gold but their safety deposit boxes probably contain some.