Top 10 op risks: failure to enforce internal controls

Under much recent legislation – the 2010 UK Bribery Act, for example – companies can use the existence of adequate controls as a defence, even when an offence has actually taken place. But the recent trial of UBS rogue trader Kweku Adoboli highlighted that adequate internal controls are useless if they are not maintained and monitored properly. 

As well as the $2.3 billion loss that the bank suffered, and the immeasurable damage to its reputation, the failure of its own controls to stop Adoboli’s unauthorised trades cost it a £29.7 million fine from the UK regulator, the Financial Services Authority. 

Some controls were simply not working: for long periods during the three years of Adoboli’s activities, a control designed to detect and warn of extensions in long-dated settlements was not functioning. Other controls were working but ignored: no penalties were imposed for breaching risk limits, for example. 

And similar lapses cost French bank Société Générale even more heavily: rogue trader Jérôme Kerviel, detected in 2008, cost the bank €4.9 billion while triggering 74 red flags, all of which were ignored or not investigated by Société Générale’s oversight and risk management.

In part, this reflects the structure of the system of controls, says Amir Orad, chief executive of Nice Actimize: “Look at the UBS case. This guy was not a genius – but the problem was that none of the systems talked to each other. The HR system, the IT support, the log of cancel/correct requests did not connect to each other.”

But Orad warns that this kind of failure will be far more serious in future – demonstrably enforced controls are increasingly in demand from customers as well as regulators. “Business cares a lot more today than before. It is becoming less legitimate to have poor controls – and there is competitive pressure as well. You want to be able to show your customers that their money is safe and under control, and the regulators as well.”

Accountability is one way to address this problem, says Chris Haines, head of operational risk management at American Express in New York. “It can take a while for risk management to get into people’s DNA. Now, if there is a compliance event, a business vice-president has to own it, and he has to explain it in front of a tribunal within certain rigid timelines – 30 days to discover customer loss, 90 days to make it whole – and that pressures people to take action.”

Top 10 operational risks 2013: Back to introduction

IT sabotage
 

Reputational damage

Incentives and compensation

Fraud and customer data abuse

Epidemic disease

Political intervention

Sanctions and AML compliance

Emerging market operating risks

Business continuity and disaster recovery

Failure to enforce internal controls

Operational risk best practice will be discussed at OpRisk Europe on June 11-14 in London. For more information and details about attending visit opriskeurope.com