I've been wanting to write about the debacle at Société Générale for a while.
As reported by David Jolly in the
New York Times on January 24, 2008, the French bank Société Générale said that it had uncovered "an exceptional fraud" by a trader that would cost it €4.9 billion, or about $7.1 billion, and that it would seek new capital of about $8 billion.
The company, said in a statement that the fraud had been committed by a trader in charge of "plain vanilla" hedging on European index futures.
Société Générale employs 2,000 people in its compliance department - what the heck where these people doing?
Probably checking off items in a compliance checklist.
That's just about where this $18BN/year GRC market is right now. Checking off items dictated by a regulator who has never met the company, it's employees, managers, customers and suppliers.
How did we get to this sorry state of affairs? Basically because it's easier to check off an item on a list then to identify root cause and fix problems.
I met with a big GRC (governance, risk and compliance) consulting firm in Europe recently and we were discussing how they might use the Practical Threat Analysis methodology in their risk assessment practice.
The idea behind Practical Threat Analysis is that everything has a cost and risk is not an amorphous entity to be estimated on its own. Risk has root causes in any organization - the root causes of risk are threats that exploit vulnerabilities of various physical, digital ,operational and reputation assets of the company. Risk is mitigated by appropriate security countermeasures that reduce the amount of damage an exploit can cause.
The big consulting company loved the idea of quantitative risk assessment but they had two reservations:
1. Current risk assessment projects are qualitative and are based on data collection interviews and therefore manpower intensive - since the projects are costed on the basis of manpower cost - the consultant doesn't have the budget to perform a quantitative risk assessment. In other words - a big bank might spend 1 million Euro on a GRC assessment and not know a) how much financial exposure they actually have and b) how much their security countermeasures are going to cost
2. How to estimate the value of assets? A cornerstone of Practical Threat Analysis is estimating asset value in dollars (or Euro) and truth be told - the answer to this question is simple. Ask the right person. If you want to know the damage to the company if they don't report on time to the NASDAQ, then ask the CFO. If you want to know the cost of a firewall - ask the network administrator or IT manager.
