On additional training by senior management. Risk

Published by admin on

On review of the “2008 Societe Generale Mission Green
report” there are numerous material risks evident.  These span credit, operational, conduct,
reputational and compliance risk domains.

The five key risks I have chosen to focus on are;

People risk; managing and rewarding
employeesRisk monitoring and reportingFraud riskCorporate Governance and legal risksReputational Risk 

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

risk; Managing and rewarding employees

A poor management culture appears to have been
widespread within Societe Generale.  JK
appears to have operated without adequate supervision or analyses of his
trading positions.  “A large number of JK
fraudulent transactions were entered”(1) by one specific trading assistant,
which should not have been allowed to occur unnoticed as this provided opportunity
for collusion.

There was also insufficient supervision of the
“intraday” trading positions that JK was taking.  This had been noted by his manager but were
tolerated without investigation or reprimand. The Mission Green report “found
no formal record of the limits set by the trader’s manager on his intraday
activities, which would in any case be different from the mark risk limits set
formally” by the Risk management division.

A previous manager had noted fraudulent positions taken
by JK but the manager had issued “a non-formalized reprimand” (1).  When this manager resigned he was not
replaced in a timely fashion, so leading to further poor supervision of
employees.  The position was then filled by
an inexperienced manager who did not have the skills to carry out the role
adequately and “was not given sufficient support”.  This was a breach of the first line of
defence, as the skill set needed to adequately and continually manage risk was
lacking.  He in turn was not adequately
supervised or given support or additional training by senior management.


monitoring and control

Adequate risk monitoring and reporting structures were
clearly not in place in Societe Generale. 
For risk monitoring to work effectively management need to be aware in a
prompt fashion when a risk limit or tolerance is hit, so that they are then in
a position to take swift corrective action. 
Middle management noted risks taken by JK which were outside the
parameters set by the risk appetite framework for the business, but no
corrective or investigatory action was taken. 
The reports notes that “Supervision of JK proves to have been weak
overall, since 2007, despite several alerts generating grounds for vigilance or
for investigation.”  There was no
reporting of a potential breech of risk limits or the need for vigilance to
more senior management.

The risk control measures were not robust enough.  JK is reported to have been able to “bypass
some of the control measures”(1) to evade triggering alerts.  Through his use of the IT system for recording
trades, which he should not have had access to. 
Trading assistants also were able to enter trading positions without
have to explain the validity of the position.

There correct metrics were not being measured.  “Controls which would have allowed the fraud
to be identified were missing.”  Key
areas that could have led to earlier detection of risk were not in place.  The report found that “no controls existed…
over cancelled or modified trades, over trades with a deferred start date, over
positions with a high nominal value, or over non-trading flows during any given

There were several warning signals in the case of JK
that were not responded to by his manager or senior management, eg. Reluctance
of JK to take annual leave, the high level of earnings he was reporting, the
breech of the desk market risk limit. 
There does not appear to been any regular communication on the
organisation performance and risk management indicators.  One would wonder were Key Risk indicators
measuring the correct data, and so in turn were adequate risk monitoring and
controls in place.

There does not appear to have been ownership of risk assigned
to individuals.  Risk culture which would
have allowed for collective identification, discussion and reaction to the
organisations current and future risk did not seem to be prevalent.  The absolute necessity to report a breech in
risk limits to senior management was lacking, as was a risk register.


There can be several types of fraud risk within an
organisation; asset misappropriation, fraudulent statements and corruption.  Asset misappropriation “involves the theft or
misuse of an organisation’s assets.” Fraudulent statements is “usually in the
form of falsi?cation of ?nancial statements in order to obtain some form of
improper bene?t.”  Corruption fraud is “improper
use of con?dential information, con?icts of interest and collusive tendering.”(2)
(CIMA;  January 2009; Fraud Risk Management;
A guide to good practice. 978-1-85971-611-3(pdf))

These three areas of fraud risk were poorly managed as
there is evidence of breaches in all area in the “Mission Green” report.  No measures were in place to detect and
report fraudulent behaviour.  Within
Societe Generale JK could “take advantage of his fraudulent activities in order
to significantly increase his “official” earnings.”  There is evidence that there was “internal collusion
involving a trading assistant” which aided him in concealing “the earning
generated by his fraudulent positions.” 
When questioned regarding his practices by superiors or regulators JK
issued “forged emails as support.”(1)

The Culture in Societe Generale may have contributed
to the fraud risk.  The report notes that
“Operators…did not have the reflex to inform their hierarchical superiors of
the appearance of anomalies…if this was not specifically stated as part of the
relevant procedures.”

Internal audit were not auditing the correct key areas.  “Absence of certain control measures for
which no provision was made” likely would have identified the fraud if these
areas had been challenged and analysed.

In addition external auditors raised “alert signals”
that were not responded to in an appropriate manner.

Governance and Legal Risk

Corporate Goverance is “based on conducting the business with integrity and
fairness, being transparent with regard to all transactions, making all the
necessary disclosures and decisions and complying with all the laws of the land…..
Good governance should facilitate efficient, effective and entrepreneurial
management that can deliver shareholders value over the longer term.”(3)  (http://www.odce.ie/en-gb/companylawyou/corporategovernance.aspx)

In Societe Generale trading regulatory risk guidelines
were not being adhered to.  In JKs case
he was taking positions that were outside the risk limits set by the company,
but using techniques “to conceal his positions”.  This was fraudulent activity that was going
undetected and unreported.  The
operations division should have provided “an initial level of control over the
trader’s activities.”(1)

Although JK did not make personal financial gains
directly from the trading risks he was taking, it did increase his “official”
earnings and in turn his bonus.  So the
incentive scheme of the company rewarded the high risk positions he was taking,
even though they were unauthorised and non-compliant with industry regulation.

There was no apparent monitoring or reporting of hard
limits to senior management or the board of directors that may have highlighted
regulation breeches that could lead to penalties or fines.

Internal audit within Societe General does not appear
to have been adequate to ensure regulatory guidelines breech were reported in a
timely fashion.  “ACFI controls on regulatory
capital requirements in relation to the counterparty risk”(1) eventually
highlighted the fraud in Societe Generale but unfortunately the fraud had been
ongoing for a number of years at this point.



Brands are intangible assets.  As part of a risk assessment potential damage
to the brand that could be caused by high risk and fraudulent behaviour should
have been measure and reported on.  There
clearly were inadequate metrics in place to measure and report on brand
value.  If there had been the risks to
the brand may have been identified sooner and damage to this intangible assets
avoided.  The importance of brand value
to the organisation could have been assisted by an incentive system that
rewards behaviour that reflected this, rather than employees who engaged in
high risk behaviour receiving bonuses. 
The responsibility for the management of brand risk needs to be assigned
to an individual within the company.


risk view

I would classify the risk profile of Societe Generale
as requiring substantial improvement. 
The areas of risk or weakness are not confined to one area of the
business.  From reading the Mission Green
reports it appears there is not a risk culture within the business.  There is no clear risk appetite framework
communicated from the board down to employees. 
There are poor risk assessment, risk monitoring and risk reporting
behaviours.  There is no evidence of
robust systems in place.  There also is
no evidence of independent challenges to systems or auditing of key controls by
an internal audit department.

This left Societe Generale in a position where there
was residual risks that was high impact. 
This need a risk transfer approach to mitigate the residual risk the company
was now face within in light of the fraudulent behaviour that had taken
place.  A robust Internal audit system
needed to be put in place to ensure the correct controls and reporting procedures
were put in place to allow the company to deal with this risk.  These controls and reporting systems needed
to be challenged and improved on an ongoing basis to ensure they continued to
be effective in mitigating risk.


of a revised RAF

Based on the findings of the 2008 report, clearly a
revision of the current Risk Appetite Framework is needed by the board, to plan
for the business strategies and risks moving forward.  For this to be done the board needs to outline
the risk profile; its objectives going forward and then identify any potential
threats/risks to them achieving these objectives.  Within the revised Risk Appetite Framework
there needs to be clearly documented business goals moving forward and planning
for how risk to these goals will be monitored and reported.  Clear limits for acceptable risk need to be
outlined as well as procedures to deal with breaches in these limits, so a risk
capacity for the company is established.

communication StrategyAll of this information then needs to be communicated
in a simple and effective way to all members of the organisation through a Risk
Appetite Statement.  If this is done
effectively each department in the organisation will be aware of the risks that
are acceptable to take in their day-today work, and also the limits to the
risks they are permitted to take.  In
light of the events reported in 2008 an effective Risk Appetite Statement was
not in place.  Ranges can be set to allow
for early reporting when risk limits are being approached so that corrective
action can be initiated.  This can be
done through Risk Management Dashboards, which are a concise way of presenting
current risk in a manner that highlights the current levels of risk in various
areas of the organisation, and helps prioritise them so that timely corrective
management can occur.Within the revised Risk Appetite Framework there needs
to be allocation of risk ownership so that everyone is clear on who is
responsible for monitoring and reporting on a specific area of risk.Training
MeasuresBased on the events reported in 2008, a healthy risk
culture was not present in Societe Generale. 
This needs to be addressed on a company wide basis moving forwards.  Training in the area of risk management, risk
identification, monitoring and reporting for staff is an important first
step.  This could be done through the
running of Risk workshops.For the risk workshops to be successful buy-in and
support from the board and senior management into the benefits of effective
risk management would be essential. 
Education around the new Risk Appetite Framework of the organisation would
be central to this process.  Creating an
environment where all stakeholders can contribute openly and honestly is
important.  Each stakeholder has
different viewpoints and contribute to the discussion of risk or threats from
the view point of their department or role. 
Once key risk are established they can be ranked.  Following the workshop a report should be
compiled with action plans for the risks discussed, so there is a clearly
documented plan for the future.Control
testing and monitoringAn integral part of any revised Risk Appetite
Framework would need to look at control testing and monitoring.  Examination of behaviour within the company
up to 2009 would need to be reviewed to try to ascertain why there were
systemic failures in risk monitoring and reporting.  Risk controls were not robust enough.  JK exploited “a certain lack of a transversal
approach in the organisation of control functions.”(1)  Employees were able to bypass risk limits
that had been set.  JK’s supervisors
allowed him to take risks which were “unjustified given JK’s assignment and his
level of seniority as trader.”(1)   When alerts occurred they were not escalated
and reported to senior management immediately. 
JK was able to “bypass the control measures liable to reveal the
fictitious or unwarranted character of the entries posted by him.”(1)  When an inexperienced manager was put in
place and failed “to fulfil one of the main tasks expected from a trader
manager”(1) why was this not detected by senior management or internal audit. Oversight
measures to embed such a key risk management processOversight measures up until 2009 were poor and did not
appear to be embedded into the risk management process.  First and second lines of defence were
breached, and there was no evidence of an effective third of defence line in
place.  Going forward it would be very
important to ensure the development of a robust Three Line of Defence Model and
development of a positive Risk Culture within the organisation.The first line of defence should have the appropriate
skill set to create risk definitions and make risk assessments.  They should be assisted by the second line of
defence.  This clearly did not occur in
the case outlined in the Mission Green Report. 
The FLOD needs to be proactively assessing, monitoring and reporting on
risks within their area, as they change on an ongoing basis.  “The supervision of risks and the monitoring
of day-to-day activities, the direct supervision of the DLPdesk proves to have
been deficient.”(1)  They also need to be
effectively able to analyse data and use early warning signs to facilitate them
in mitigating risk and reporting it upwards when necessary.  JK’s inexperienced direct supervisor “was not
assisted by the DELTA one manager” or “given sufficient support.”(1)) Parts
of the business which will be impacted by these Instigation of a revised risk appetite within Societe
Generale will impact on many areas throughout the company including the trading
office, the front desk, the middle office, the internal audit department, the
audit committee and the board.  Practice
and culture within all these domains will need a new approach to identifying,
assessing and communicating risk from the trading desk upwards to the board,
and from the Audit committee and the board down to the trading floor.  These departments will need to be re-educated
on regulatory requirements and best practice guidelines for these areas.  A change in policy regarding the incentive or
bonus system within the company would impact directly on traders and management
whose bonuses, up until this point, were calculated on the profits of their
trading activities.  The development of
metrics to reports on key control areas within the business that were not previously
being analysed will be needed, such as controls “over cancelled or modified
trades, over trades with a deferred start date, …over positions with a high
nominal value.”  Ownership of key risk
needs to be assigned. The
specific roles which will support an improved control environmentA collaboration of many roles will be needed to
support an improved control environment. 
Key to this strategy would be a Three lines of Defence Model.  “Risk management normally is strongest when
there are three separate and clearly identified lines of defence.”(4)  (IIA POSITION PAPER:  THE THREE LINES OF DEFENSE IN EFFECTIVE RISK
MANAGEMENT AND CONTROL, January 2013).  This
model allows for risk ownership and a clear reporting and escalation strategy.The first line of defence consists of business
operations managers.  They manage
specific areas of risk relevant to their roles and departments.  These staff members need to be adequately
skilled to carry out their roles.  They
need to be proactive in the identification, assessment and communication of
ever changing risk within the company on a day-to-day basis.  In the case of Societe Generale this first
line of defence was breached as JK’s manger was inexperienced and did not have
the adequate skill set for the position he was given.The second line of defence consist of management with
an oversight function.  They need to
oversee a broad area of risks to the business. 
They provide guidance to the first line of defence through company
objectives, best practice guidelines and policies and procedures for dealing
with key risk areas.  This function was
not being carried out up to 2009 as the FLOD was not getting the support it
required to identify, analyse and manage risk. 
SLOD also need to monitor ongoing and emerging risks, and ensure compliance.  They provide an oversight of the company risk
to the board.The third line of defence
is internal audit.  “The role of internal audit is to provide independent
assurance that an organization’s risk management, governance and internal
control processes are operating effectively.”(IAA website https://www.iia.org.uk/about-us/)  They should report to the Audit Committee,
who in turn report to the board.  By
challenging key control they can report on and improve risk management.  They can report on assurance to the board.  Internal audit could use a standard such as
ISO 3100 “to help… increase the likelihood of achieving objectives, improve the
identification of opportunities and threats and effectively allocate and use
resources for risk treatment.”(5)  (https://www.iso.org/iso-31000-risk-management.html)The three line of defence approach will allow for the
creation of risk coverage maps.  This
provides a clear display of risk to the business, key controls in place, and
the effectiveness of the reporting system and should aid in the evaluation of
any gaps or duplication in controls. 
Risk coverage needs to be reviewed on a regular basis and steps taken to
deal with current and emerging risks in an inefficient and holistic manner.Discuss
how the measure taken will meet the demands and expectations of key

RegulatorDue to the events of recent years there are increasing
regulatory pressures on companies. 
Societe General have national (Autorité de Controle Prudentiel et de
Résolution), European (European Central Bank) and global regulators (Basel 3
Framework) to report to, as there is an ongoing global reform to the financial
industry.  They will need to provide
evidence to the regulator that effective risk management strategies are in
place.  Also, that they have taken
measure, and tested these measures to ensure that they are in a position to
withstand potential stressors.  They also
need to provide evidence of liquidity and so an ability to meet their cash
commitments.  The third line of defence
of internal audit will play key role in assurance reporting to the board and
the regulators.  The achievement of a
best practice standard, e.g ISO 3100, would give reassurance of a high standard
of risk management within the business.The GovernmentThe government expectations would include non-criminal
practices within the organisation, compliance with regulators, and fair and appropriate
treatment of staff.  The government would
need evidence that there is no further tolerance for fraudulent behaviours, and
if detected that they will be reported to the authorities. A formal code of
conduct for Societe Generale would support this.The UnionsThe unions would expect that there staff are treated
fairly.  They would need to see procedures
and policies in place to deal with conduct, disciplinary actions and whistle-blowing.
 Unions may also look for assurance
regarding financial risk to the company as liquidity and the future potential
employment ability of the firm is relative to their members.Investors/ShareholderInvestors and shareholders need evidence that there financial
stake in the business is being managed within the revised risk appetite
framework approved by the board.  They
also need assurance, which many come from the chief risk officer, CEO or
internal audit reports, that there are adequate limits and controls in place to
manage the risk for their investment. 
This needs to be communicate clearly to the shareholders.Brand value is of crucial importance to
investors.  Metrics need to be put in
place to manage risk to brand value, and steps needed to manage the recent
crisis and how it affected brand value.Recommendations

Given the events that occurred in the lead
up to the “Mission Green” report in 2008 development and implementation of a
revised Risk Appetite Framework is needed to give new structure to the
identification, assessment, monitoring and reporting of key strategic
risk.  The revised risk appetite, revised
business strategy and the revised risk limits need to be clearly communicated
to all stakeholders in the company through a revised Risk Appetite Strategy.As a result of the “Mission Green” report
new policies and procedures need to be developed for monitoring risk, detecting
risk breaches and also clear channels for the escalation of breaches through
the hierarchical chain of command.  Ideally
a single database system for logging and reporting risk should be used
throughout the company.A robust 3LOD model for reporting risk and
to increase the accountability and ownership of risk is essential.  This model would allow for assessment and
monitoring of risk throughout the company with clear reporting channels to the
audit committee, CRO, CEO and the board. 
It would also facilitate an efficient means of regularly re-assessing
risk being mindful of emerging risk, while trying to avoid duplication of roles
within the business.Brand value will certainly have been
affected by the fraudulent behaviour detected and financial damage caused to
Societe Generale reported in the “Mission Green” report.  For investors and regulatory bodies
protecting brand value and re-building it moving forward will be key to the success
of the company.  A positive risk culture
within the organisation, transparency in reporting to investors, clear
ownership of risks, and a robust model for reporting risk are all steps that in
time should increase brand value.

Categories: Industry


I'm Iren!

Would you like to get a custom essay? How about receiving a customized one?

Check it out