Risk Management Keeps

Failing the Ultimate Test

By Guy By Carlos Blanco, Chris Mammarelli & Robert Mark

SOCIÉTÉ GÉNÉRALE (SG) has suffered the largest recorded loss in The pace of Kerviel’s trading picked
derivatives history because its risk management control system up toward the close of 2007. The open
failed. The facts behind the record-setting loss are gradually coming positions’ unrealized profits we re
to the surface, but it is clear that the magnitude of the losses associ- around €1.5 billion, but management
ated with the fraud are unprecedented. was unaware of the profits. In 2008,
Jérome Kerviel, 31, and an equity derivatives trader working from markets moved heavily against his posi-
Société Générale’s Paris headquarters, managed to build massive tions, and his book started accumulat-
“unauthorised” positions in equity index futures such as the Dow ing large losses. It was just a matter of
Jones Euro Stoxx 50 index and the German DAX that resulted in a time until he was caught.
cumulative loss for the bank of US$7.2 billion. To put things in per- Af ter seve ral missed warnings re l a te d
spective, the loss is about five times the amount that Nick Leeson to Kerviel’s activities by German
squandered when he brought down Barings Bank. fu t u res exchange Eurex and SG’s risk
Kerviel had a junior-level position in the European equity arbitrage management and internal audit
group, known as Delta One, and he knew how to circumvent the risk groups during 2007, he was finally
management process due to prior experience he gained mainly from caught in early 2008. A compliance
working in the back office. SG’s management claims to be complete- officer called a counterparty after he
ly surprised that Kerviel’s trades escaped its risk management con- d i s c ove red that a re c e ntly modified
trol systems. i nternal counterparty limit2 had been
b reached. The counterparty confirmed
... the arbitrage consisted of building very that the trades did not exist.
large positions to make small margins while Senior management first learned of
the problem the morning of Friday ,
allegedly taking little risk
January 18th. It appears that Kerviel’s
Kerviel had a low level of authority – his annual profit target was positions we re (somewhat) balanced at
between €10 million and €15 million. In order to build the massive that point, but the bank’s total expo-
trading positions, he probably entered hundreds of fictitious trades s u re had reached €50 billion (US$73.3
to offset his trading bets in the risk systems. billion)3. This figure exceeded the
bank’s market ca p i talisation of €35.9
Background & Chronology of Events billion (US$52.6 billion). European equi-
Kerviel was part of a pro p r i e tary trading business involved in arbi- ty markets fell almost 2% that day, so
trage of financial instruments on European stock markets. The arbi- the positions had accumulated €1.4 bil-
trage mainly consisted of buying a portfolio of securities or indices lion in losses by the evening. Af ter fra n-
and selling a portfolio of other instruments that had similar chara c- tic emergency meetings over the we e k-
teristics, but slight differences in value. The group made money based end, the full scale of the problem wa s
on the re l a t i ve changes in value of the long and short positions. revealed to the bank’s management
Like LTCM’s strategies, the arbitrage consisted of building very and audit committee on Sunday and
large positions to make small margins while allegedly taking little the Ce nt ral Bank of France was
risk. The arbitrage strategies had tight market risk limits in place, but informed of the situation. Management
also brought considerable operational risk to the bank, as any small decided to get out of their positions as
errors could result in large losses. quickly as pra ct i cable, even if that
According to Kerviel, the irregular transactions began in November meant taking a large hit, as well as wa i t-
2005, although the bank claims that they started only last year. The ing to tell the market until the positions
trader saw an opportunity to start taking dire ctional bets and man- we re closed to avoid fro nt-running by
aged to build those positions by entering fictitious transactions in the other market participant s .
s ys tem to give the impression to management that his portfolio wa s The bank managed to neutralise the
hedged. During 2007, he produced a realised profit of €55 million long position for three days, but given
(US$81 million) and he was expecting a bonus of €300,0001. The prior the magnitude of the position relative
year he had a combined salary plus bonus of less than US$150,000. to their capital, they decided that they

COMMODITIES NOW MARCH 2008 1

 RISK MANAGEMENT

had to sell even during one of the worst

market plunges in European equity Figure 1: SG’s Daily VaR & Profit and Loss Results, 2006
market history. To re s p e ct marke t VAR back-testing using the regulatory scope during 2006 –
VAR (1 Day, 99%) in Millions of Euros
integrity, they set a limit of 10% of the
daily market volume.
Even though representatives from the
bank deny it, it appears that the quick
unwinding of their positions once the
“fraud” was discovered could have con-
t r i b u ted to the large fluctuations
European equity markets experienced
that week. The large drop in Asian and
equity markets on January 21st may
have also accelerated the Fed’s rate cut Sources: SG’s Annual Report, 2006.
as they attempted to rescue the mar-
kets from a continuous fall. the realised losses after his actual positions we re disclosed.
After SG had finished closing Kerviel’s Accordingly, the information provided did not indicate that SG could
book, the bank had accumulated losses suffer losses of the magnitude they experienced in early 2008.
of €4.9 billion (US$7.2 billion). The tim- It is likely that the market, (e.g., rating agencies and equity ana-
ing and execution was not what man- lysts), as well as stakeholders, (e.g., shareholders and bondholders),
agement was expecting, but given their will become increasingly sceptical and impatient with SG unless the
desperate situation, they did not see firm can respond quickly and unambiguously show that it has
any other option. cleaned up its risk-related control problems. The trader’s immediate
supervisors and some others in the control functions have already
TABLE 1: VOLUMES OF POSITIONS UNWOUND BY SG
been handed their ‘pink slips’.
ON THE FUTURES INDICES MARKETS (%)
Although it would be embarrassing, to regain the market’s trust SG
Date Eurostoxx DAX FTSE should seriously consider releasing information to the public regard-
21 January 2008 8.1% 7.8% 1.7% ing how the internal controls were violated, and should make assur-
22 January 2008 6.8% 5.7% 3.1% ances that the holes in the control procedures have been closed.
23 January 2008 5.9% 6.1% 0% When National Australia Bank confronted a similar situation and
Source: SG January 2008 faced a large loss in FX options trading due to unauthorised transac-
tions, the CEO was forced to resign and the new CEO ordered an
Risk Management At SG independent risk audit on its overall risk management processes that
SG was perceived to have a best-prac- was publicly disclosed.
tice market risk management process in
place. For example, the group had high- Although it would be embarrassing, to regain the
ly qualified professionals and sophisti- market’s trust SG should seriously consider releasing
ca ted risk measure m e nt and cont ro l information to the public regarding how the
systems. SG’s annual report includes a
considerable amount of information
internal controls were violated
related to the risk management process Stakeholders will also demand better disclosures, with increased
at the firm. Risk Magazine named SG detail encompassing market risk, credit risk and operational risk, as
named “Equity Deriva t i ves House of well as, eventually, sophisticated qualitative disclosures about busi-
the Year”. (WHEN) Fitch estimates the ness risk, reputation risk and strategic risk.
equity derivatives business generated
profits of about US$1.7 billion in 2006 Figure 2: Historical & Hypothetical Stress Test Results
(20% of the bank’s net earnings). Stress tests at December 31st, 2006
Based on publicly available informa-
tion, Figure 1 shows that the market
risk models were able to capture fairly
well the profit and loss fluctuations
from the trading book in 2006. Figure 2
s h ows the results from stress te s t s
based on selected hypothetical and his-
torical events for SG at the end of 2006.
However, the risk models did not see
Kerviel’s true positions and the estimat-
ed losses under normal and abnormal
market conditions were a fraction of Sources: SG’s Annual Report, 2006.

2 MARCH 2008 COMMODITIES NOW


Policies, Methodologies & Infrastructure (PMI)
Framework for Operational Risk
Regulators define operational risk as: “the risk of loss resulting from
inadequate or failed internal processes, people and systems or from
external events. These failures include computer breakdowns, a bug
in a key piece of computer software, errors of judgment, deliberate
fraud and many other potential mishaps.” Regulation obliges banks
to set aside specific risk capital for operational risk. This in turn has
facilitated the measurement of operational risk as a risk class and
has made it easier to compare firms’ operational risk profiles.
All too often, industry inquiries following an operational risk disas-
ter, such as a rogue trader incident, reveal a trail of red flags leading
up to the event. The trail often begins months or even years before
the loss incident itself, and the red flags often include smaller losses
with the same cause – ‘near misses’. These near misses should have
alerted the bank to the possibility of a risk that could result in larger
losses, and should have raised concerns from auditors or regulators
that were not properly addressed by management.
SG apparently struggled to fully integrate data, software and risk
control infrastructure into their overarching enterprise risk manage-
ment (ERM) frameworks. SG made the inevitable trade-off between
completeness and accuracy, on the one hand, and cost and timeli-
ness, on the other. SG’s excessive reliance on computer systems also
may have allowed someone with detailed knowledge of those sys-
tems to build the large unauthorised positions.
Old-School Risk Management
The practice of risk management has become quite mathematical
in recent years, with many positions now requiring candidates to
possess a PhD in a quantitative discipline. These ‘rocket scientists’
are constantly looking for ways to incorporate the latest sophisticat-
ed advances in financial theory to their firm’s risk models. The old
joke about economists applies to many risk management groups: “It
works in practice, but does it work in theory?”
Risk groups should pay particular attention to
identify the root sources of near misses or
irregularities and enhance the control
processes if necessary
French banks usually have a large team of quantitative analysts
that develops mathematical valuation and risk models for complex
derivatives. The SG equity derivatives team’s claim to fame was that
it developed highly complex structured basket equity derivatives
known as ‘mountain range’ pro d u cts with exotic names like
Himalaya, Everest and Altiplano. Given the complexity of the instru-
ments, they generated large profit margins for the bank as many
clients did not truly understand the risk-reward trade-offs of those
instruments.
Even though SG may have had “highly qualified” quantitative risk
professionals, it appears something was missing. Common sense
would dictate that anyone who saw the massive positions the trad-
er was putting on – even if he claimed he was hedging them – should
look at those positions more closely and understand the rationale
behind those transactions. (Kerviel was questioned on several occa-
sions by internal control personnel but he gave relatively simplistic
answers that allowed him to continue entering fictitious trades.)
In financial risk management, near misses are not given the same
importance as in other disciplines. Risk groups should pay particular
RISK MANAGEMENT
The PMI framework for operational risk can be used to
analyse SG’s operational risk management process
The first element is to develop well-defined operational risk
policies. SG had gaps in its infrastructure that preve n ted the firm
from adequately following up on its guidelines for practices that
control or reduce operational risk. SG clearly needs to review and
possibly upgrade its policies on trader/back-office segregation,
out-of-hours trading, off premises trading, mandatory va ca t i o n
time, legal document vetting and the vetting of the pricing
models that underpin trading decisions. Management needs to
d e termine why Kerviel was able to falsify emails from
counterparties confirming operations, when those emails should
have gone directly to someone in the back office and/or risk
management. Many trading groups have policies that make
traders ta ke “forced va cations” of a period ranging from one to
two weeks to prevent the type of situations that occurred at SG.
The second element is to develop a comprehensible set of
operational risk metrics and risk mitigation procedures.
Operational risk managers use quantitative methodology based
on both historical loss experience and scenario analysis, to derive
loss frequency and loss severity distributions. Despite the
important methodological advancements in operational risk
measurement and management in recent years, it is critical to
combine qualita t i ve and quantita t i ve tools. A more basic
management obj e c t i ve is simply to make operational risk
increasingly transparent when the bank is making key decisions
and understand key sources of operational risk. For example, key
questions for SG clearly include:
• What was SG’s largest operational risk in broad terms?
• What drove SG’s operational risk?
• How did SG’s operational risk change over time?
• How is SG ensuring that identified operational risks are
mitigated?
• What SG’s operational risks are on the horizon?
• How does SG’s operational risk level compare to that of
comparable companies?
The third element of the PMI framework is to develop a
comprehensive infrastructure that includes a we l l - d e s i g n e d
operational risk organisation. For example, did SG’s senior
management fo s ter a risk-aware business culture? Kerviel has
claimed that other traders in his group consistently breached their
limits and were not disciplined by management. Was SG’s
operational risk managed as a partnership between business
units, business infrastructure groups and corpora te governance
units such as internal audit and risk management?
attention to identify the root sources of
near misses or irregularities and
enhance the control processes if neces-
sary before they result in a material loss
for the institution.
In the case of SG, the exc h a n g e s
warned SG of unusually large transac-
tions and SG’s internal risk group also
found some irregularities, but Kerviel
managed to perpetuate his activity by
claiming these were just operational
errors (with occurrence rates similar to
COMMODITIES NOW MARCH 2008 3
 RISK MANAGEMENT
other traders in the group) and closing
the positions.
Risk always finds the w eakest link.
A p p a re ntly, SG’s ineffe ct i ve opera-
tional risk management process left the
bank in a highly vulnerable position. To
a large extent, it appears the group was
managed by quantitative analysts and
risk systems, but the ‘adults’ were miss-
ing from the risk group.
The Board & Senior Management
The board of dire ctors should be
aware of the major aspects of a bank’s
operational risks as a distinct risk cate-
gory that should be managed. The
board should approve and periodically
review the bank’s operational risk man-
agement framework and ensure that it
is subject to effective and comprehen-
s i ve internal audit by opera t i o n a l l y
independent, appropriately trained and
competent staff. The framework should
provide a company-wide definition of
operational risk and lay down the prin-
ciples for how operational risk is to be
i d e ntified, assessed, monitored and
controlled or mitigated.
Senior management should be
responsible for implementing the oper-
ational risk management fra m e wo r k
a p p roved by the board of dire ct o r s
throughout the entire banking organi-
sation, and all levels of staff should
understand their responsibilities with
re s p e ct to operational risk manage-
ment. Senior management should also
have responsibility for developing poli-
cies for managing operational risk in all
of the bank’s products, activities,
processes and systems.
French President Sarkozy has already
said that SG senior management
should be accountable for the failure in
controls. He was quoted as saying that
“when there is an event of this nature, it
cannot remain without consequences
as far as responsibilities are concerned.”
Genius vs Simple Fraud
A French Central Bank governor has
called the trader a “genius of fraud.” SG
has been portraying him as a master-
mind. According to SG’s CEO, “The
tra n s a ctions that we re built on the
fraud were simple. The positions were
linked to rising stock markets, but they
were hidden through extremely sophis-
ticated and varied techniques”.
4 MARCH 2008 COMMODITIES NOW
The reality of the losses may in fact be much simpler. Perhaps the
focus should shift to why the bank’s management and risk process-
es failed, and whether internal control and regulators should have
spotted material deficiencies in the risk control framework at SG.
SG could have preve nted billions of dollars in losses with a very low -
tech and inexpensive process: simply hiring clerks to periodically call
their counterparties and validate all over-the-counter positions. This
simplest of checks could have thwa r ted even this ‘genius of fraud’.
Traders often have inside knowledge of the controls in place and
that is why it’s critical to continually upgrade them. For example, it
is natural for risk managers and back-office personnel to eventually
migrate to trading. It is suspected that the trader at SG kept up to
date with changes in back-office system and procedures. Senior
management implied that he used the login and password of col-
leagues to enter some transactions into the computer.
Kerviel was appare ntly well awa re of the timeline of sys tem checks
by internal cont rols. He was able to continually conceal his position by
erasing them right befo re the checks and then immediately re b u i l d-
ing them. As some of his positions we re exchange-traded fu t u res, he
also managed to game the sys tem by entering into equity index fo r-
wa rds that did not trigger margin calls. If the risk management gro u p
and the risk committees we re just looking at the risk reports generat-
ed by the sys tem, they could not tell what was happening.
Traders often have inside knowledge of the
controls in place and that is why it’s critical to
continually upgrade them
However, Kerviel’s fraudulent actions are not an excuse to have
missed the problem as it was unfolding. Firms would be well served
to engage experts, such as those that have moved from risk manage-
ment (or the back office) into trading, to help close control loops.
Firms would also be well served to engage traders with a deep knowl-
edge of the inner workings of the control procedures to help them
set up a better risk control infrastructure.
The Myth of the ‘Independent’ Middle Office
The SG debacle vividly shows that the so-called “independence” of
the middle office cont rol function is a complete fiction in many trad-
ing organisations. Many traders like Kerviel begin their ca reers by ga i n-
ing experience in a low-paying back or middle-office job, hoping to be
promoted someday to a position on a trading desk. Such a ca reer
m ove can easily result in compensation jumping by 500% or more .
The last thing a person with such aspirations wants to do is to
anger potential future colleagues on the trading desk by challenging
the accuracy of positions or marks. Instead, the best policy is to do
what is necessary to keep everyone happy, all the while gaining an
intimate knowledge of any shortcomings in the risk control systems.
This fundamental flaw in the risk control function can be addressed
by, (a) making risk management a career track profession and not a
stepping stone, and (b) reducing the pay gap between the front and
middle office. But don’t hold your breath waiting for either of these
changes to happen anytime soon.
SG has claimed this case was more difficult to spot in part because
the trader did not seem to have strong monetary motivations, since
he personally would not have received excessive monetary benefit
from the profits of his trading position. But his motivations do
appear to have had a strong financial nature, as his bonus in 2007
was more than 300% of his salary and his “exceptional” returns
 RISK MANAGEMENT

would have likely helped him obtain a more senior position in the
arbitrage group. When Kerviel started entering fictitious trades to
take additional risk, he did not anticipate that the situation would
end up as it did.
Kerviel argues that he was just trying to increase profits for the
bank and his positions had accumulated profits over US$1.5 billion
as of December 31st. However, it is likely that once he started expe-
riencing losses in his large unauthorised positions, he did not disclose
it for fear of repercussions. Instead he continued building up his posi-
tion with the hope of recovering those losses. This panic situation
probably led to a “fight or flight” stress response by the trader.
As for the billions of dollars in cumulative losses, Nick Leeson had
this to say about SG’s situation: “You distance yourself somehow
from the quantity of it. It tends to be numbers that come up on the
screen – it does not have the real factor such as the money you have
in your pocket.”
Many firms will still fail to compre-
hend the value of superior risk manage-
ment and, as a result, will not achieve
best-practice sta n da rds. Shocking
financial failures will continue to hit the
headlines. This won’t signal that risk
management as a discipline has
‘failed’ but simply that a new challenge
has to be met. Over time, the market
will punish those firms that fail to invest
wisely in risk management •

Defining the Ultimate Goal of the Risk Management Group

In general, banks and securities firms have upgraded their risk
management capabilities. Unfortunately, the recent failures of risk
management – the credit market fiasco and the multi-billion write
downs experienced by many institutions – have brought financial
institutions into the headlines once again.
References
The SG debacle vividly shows that the so-called “A French Style of Capitalism Is Now Stained” Nelson, D. Schwartz
and Mouawad, J. New York Times. Jan. 28, 2008
“independence” of the middle office control function “Charges Are Sought Against French Trader”. Kanter, J. New York
is a complete fiction in many trading organisations Times. Jan. 28, 2008
“Explanatory note about the exceptional fraud” Société Générale.
A business professor at the London Business School recently wrote, Paris, Jan. 27, 2008
“There hasn’t been a broad failure of risk management across the “Familiarity Breeds Gloom Among Financial Experts” Norris, F.
board, just one guy who knew how to beat the system.” Even though New York Times. Jan. 25, 2008
it may be unfair to blame the whole risk and management group for “How to lose US$7.2 billion: A Trader's Tale” Gauthier-Villars, D.
and Mollenkamp, C. Wall Street Journal., pp A1, A7, Feb 2-3,
a person deliberately committing fraud, these are the types of
2008
eve nts that risk management should be ready to preve nt.
“Société Générale's Fraud: What Now?. Business Week. Jan. 24,
Management claims that the incident was “exceptional and isolat- 2008
ed.” An SG banker observed “It makes us look incompetent, which “Socked, not gently” The Economist. Jan. 24, 2008
isn’t the case. We’re all wondering if this fraud will wreck the compa- “Société Générale Trader Will Stay in Police Custody.” Viscusi, G.
ny.” Bloomberg, Jan. 2, 2008
An analogy can be drawn to the behaviour of many risk models “Société Générale Blew Chances To Nab Trader” Gauthier-Villars,
under extreme market behaviour. Even though they work 99.9% of D. and Mollenkamp, C. Wall Street Journal. Jan. 29, 2008
“Société Générale's Damage Control After Alleged Fraud, French
the times, the 0.01% are the events that can take the firm down.
Bank Strives To Save Reputation” Gauthier-Villars, D. Wall Street
The US intelligence agencies may have prevented numerous attacks
Journal. Jan. 26, 2008
against US interests at home and abroad, but their failure to prevent
9/11 attacks forced a reorganisation and redesign of their structure Carlos Blanco, Ph.D. is Managing
and ultimate objectives. Director of Black Swan Risk Advisors, LLC,
an independent advisory firm with a
Conclusion proprietary approach to the design,
Why did risk management and executive management at SG fail? development and validation of financial
risk management programs.
How could Kerviel generate such huge losses by himself for more
E: carlos@blackswanrisk.com
than a two years without tripping the internal risk control systems?
Chris Mammarelli is director of energy
Why was SG’s risk group looking only at net exposures instead of the risk management at Black Swan Risk
massive gross exposures? These remain open questions. Disciplining Advisors.
executive management such as the co-heads of fixed income trad- Robert M. Mark, Ph.D. is the CEO of
ing, global head of market activities and global head of equities and Black Diamond, which provides corporate
derivatives activities does not identify all the points of failure. governance, risk management
SG needs to clarify many open issues. For example, why did the consulting, risk software tools and
bank’s back office not confirm each trade with their counterparties, transaction services.
E: bobmark@blackdiamondrisk.com
instead waiting until limits were broken and a compliance officer
www.blackswanrisk.com
found something unusual?

COMMODITIES NOW MARCH 2008 5