Top 10 op risks: failure to enforce internal controls

Failure to enforce internal controls: top 10 operational risks for 2013

kerviel-book
Brought to book: Jérôme Kerviel’s activities resulted in losses of nearly €5 billion for SG

target-iconUnder much recent legislation – the 2010 UK Bribery Act, for example – companies can use the existence of adequate controls as a defence, even when an offence has actually taken place. But the recent trial of UBS rogue trader Kweku Adoboli highlighted that adequate internal controls are useless if they are not maintained and monitored properly. 

As well as the $2.3 billion loss that the bank suffered, and the immeasurable damage to its reputation, the failure of its own controls to stop Adoboli’s unauthorised trades cost it a £29.7 million fine from the UK regulator, the Financial Services Authority. 

Some controls were simply not working: for long periods during the three years of Adoboli’s activities, a control designed to detect and warn of extensions in long-dated settlements was not functioning. Other controls were working but ignored: no penalties were imposed for breaching risk limits, for example. 

And similar lapses cost French bank Société Générale even more heavily: rogue trader Jérôme Kerviel, detected in 2008, cost the bank €4.9 billion while triggering 74 red flags, all of which were ignored or not investigated by Société Générale’s oversight and risk management.

In part, this reflects the structure of the system of controls, says Amir Orad, chief executive of Nice Actimize: “Look at the UBS case. This guy was not a genius – but the problem was that none of the systems talked to each other. The HR system, the IT support, the log of cancel/correct requests did not connect to each other.”

But Orad warns that this kind of failure will be far more serious in future – demonstrably enforced controls are increasingly in demand from customers as well as regulators. “Business cares a lot more today than before. It is becoming less legitimate to have poor controls – and there is competitive pressure as well. You want to be able to show your customers that their money is safe and under control, and the regulators as well.”

Accountability is one way to address this problem, says Chris Haines, head of operational risk management at American Express in New York. “It can take a while for risk management to get into people’s DNA. Now, if there is a compliance event, a business vice-president has to own it, and he has to explain it in front of a tribunal within certain rigid timelines – 30 days to discover customer loss, 90 days to make it whole – and that pressures people to take action.”

Top 10 operational risks 2013: Back to introduction

IT sabotage
 

Reputational damage

Incentives and compensation

Fraud and customer data abuse

Epidemic disease

Political intervention

Sanctions and AML compliance

Emerging market operating risks

Business continuity and disaster recovery

Failure to enforce internal controls


 

Operational risk best practice will be discussed at OpRisk Europe on June 11-14 in London. For more information and details about attending visit opriskeurope.com

 

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Most read articles loading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here