This month marks the twenty year anniversary of one of the biggest financial scandals in British banking history. On the 25th February 1995, Barings, Britain’s oldest merchant Bank collapsed. A trader by the name of Nick Leeson had lost over eight hundred million pounds in unauthorized trading on the Singapore International Monetary Exchange. Despite desperate attempts, Barings was unable to secure a bailout for the business and the company was declared insolvent; at a stroke 1200 people lost their job and over one hundred million pounds was lost by Barings bondholders.
The collapse at the time was unprecedented; how possibly could a single rogue individual bring down such a prestigious financial institution?
The resulting Bank of England report highlighted many failings at Bearings, but some simple and fundamental principles had been neglected.
At the root of the Barings catastrophe was fraudulent behaviour by a rogue individual compounded by the failure of the institution to segregate duties sufficiently within their Singapore office.
In the years prior to the collapse Barings was expanding quickly and Nick Leeson had been put In charge of both the front and back office functions. In normal circumstances best practice would have demanded that these activities should have been segregated, Barings appears to have turned a blind eye to this as a matter of convenience. The seeds of what later transpired had already been sowed.
Leeson was asked to build a team from locally recruited employees, he was only 25 when he went to Singapore; the people who he recruited locally were very junior and inexperienced. He appears to have been well liked by his team and they did not have the experience, authority or confidence to challenge some of the suspicious practices that he was later to be involved in.
Leeson alleges that the spiral of deceit in which he was later to become embroiled was initially driven by the desire to conceal a £20,000 error made by a junior member of his team. The ease with which he was able to conceal this loss started him on a path of increasingly bold deceitful behaviour. Leeson became entangled in a spiral of increasingly loss making trades while at the same time misrepresenting these as impressive profits to head office.
There can be little doubt that the confused and poorly defined reporting line meant there was little effective oversight to what Leeson was doing and allowed him to repeatedly deceive London.
While Leeson seems to have been regarded as an intelligent individual within the bank it seems from reading his own accounts that his level of maturity had not kept pace with his level of responsibility, his evenings were often characterised by drunkenness and excess. Before he had been in Singapore for long he had been banned from the The Singapore Cricket Club after an altercation in which another member was punched.
Not long after this event, Barings was to learn that their star trader was on a charge of public indecency after another incident in which he had ‘Mooned’ at a group of girls in a bar. Leeson narrowly avoided imprisonment for this offence, if he had been Barings may well have fired him and been saved from some of what later transpired. However Leeson was seen as a top performer within the Bank, his transgression was quietly ignored and after he was released with a two hundred dollar fine he was allowed to continue in his position with the bank. What was not known at this stage was that Nick was already engaged in a spiral of highly risky unauthorised trading and was desperately trying to cover his tracks from internal Audits. Barings was oblivious to the fact that the huge profits that Nick Leeson was reporting were entirely fictitious.
There were a number of failings in this case:
1) Serious segregation of duties failures. Functions that should have been clearly divided were not. In his dual role in charge of the front and back office he was able to both trade futures and also book and report the various trades. Internal audits had highlighted these risks but they had not been acted upon.
2) Poor oversight. Leeson was essentially operating with no supervision from the London head office.
3) The lack of an unambiguous reporting line. There was a confused reporting line that helped obfuscate Leeson’s fraudulent behaviour.
Developing effective internal controls that can keep ahead of a rapidly evolving business processes is a challenge that all organisations have to take seriously. Segregating functions greatly complicates an individual’s ability to conceal fraudulent behaviour.
Barings were unaware of the personality flaws that might cloud Leeson’s moral judgement. Leeson lied on a frequent basis throughout his employment at Barings to cover his misdeeds. Had Barings had some idea of Leeson’s moral compass they might of considered him a high risk individual.
Since the Bearings scandal there have been at least eleven other known Rogue trader scandals, the most disastrous being the 4.9 billion Euro loss made by Jerone Kerviel in 2008 at Société Générale. Unfortunately it is unlikely that this will be the last example of this behaviour.
Ultimately any organisation has to recognise that people are fallible. Segregation of duties and internal controls are an essential component in the armoury of techniques that protect organisations from rogue individuals.
Helpdesk systems are now fundamental to the way that companies manage their support teams and comply with their Service level agreements.
The workflow for provisioning users usually crosses two distinct software process boundaries.
• The user approval workflow is managed within a helpdesk system.
• The user record is created within SAPs authorisation system.
These two systems provide two separate disconnected audit trails which are not easy to reconcile and result in duplicated effort:
• The Help desk ticket needs updating with details of the modification.
• The user needs informing of the change.
• Passwords may need synchronising in different systems resulting in wasted effort.
Consequently the creation of new users tends to create a significant amount of work while the unlocking of accounts can be one of the single biggest contributors to the helpdesk workload.
Fortunately there is a way to reduce this effort, reduce your costs and free up your support staff to add value to your business.
The key is the great connectivity options that are provided both by SAP and most of the leading helpdesk vendors that allow these two distinct processes to be joined into one.
SAP provides a number of methods to connect systems. Web services are one of them, over the last ten years they have been increasingly hailed as the ideal solution to connect disparate systems.
When we have been looking at connecting systems, web services will often be our first port of call.
By driving user provisioning entirely from your helpdesk approval flow, there is an immediate productivity gain, help desk operatives do not even need to be given SAP clients. The audit trail becomes quicker , easier and cheaper. What’s more once organisations realise that approval workflows and associated actions can be joined into a single audit trail, role modifications, transport system operations and other administrative functions can be managed in the same way.
If you are an organisation looking to find productivity savings and improve your auditing, then connecting the disjoints in your systems could be the way to a more effective future.
For many security is the ugly child of IT. When people start to consider security, it’s often as an afterthought or at worst a necessary evil.
Thankfully attitudes are changing. Recently a series of high profile cases have focused company’s attention on the need to protect their (and perhaps more importantly), their customer’s data.
In particular the recent highly publicised attack on Sony’s IT infrastructure demonstrates an insidious form of attack in an increasingly connected world: those that are deliberately and exclusively aimed at damaging organisations credibility by compromising its employees or customer’s privacy.
Many organisations have long since appreciated that the damage to a company’s reputation caused by security breaches is the single biggest threat to their credibility.
The Sony case and the recent leak of US diplomatic cables have both highlighted the fact that organisational embarrassment alone is now a powerful weapon when wielded by malign hands. In both cases the data was released into the public domain through the supposed anonymity of hacker groups.
The ‘Cablegate’ affair was not a sophisticated attack from an externally acting agent. The culprit was a rogue individual within the organisation who simply abused the access that he might legitimately have been said to have required for his role.
Could simple mitigating controls of reduced the impact of this security breach?
If the careful segregation of data on a need to know basis is the principle risk reduction method in an organisations armoury. Mitigating controls should be the second line of defence.
The US deliberately loosened rules regarding the segregation of data after 9/11, the objective was to improve information sharing and ultimately the effectiveness of security services analysis. While these were worthy aims, it could be suggested that the corresponding compensating controls were neglected. Controls could of provided oversight to the extraordinary amounts of data that was being downloaded by this individual.
The ‘Cablegate affair’ compromised people who had provided information to the US security services and to which a duty of care was owed. The reputation of the US government has suffered as a consequence.
Your reputation hinges on protecting your customers data.
Ultimately a vigorous approach to securing your organisation data is an important part of building confidence and trust with those who you work; secure organisations are professional organisations.