In IT, we think of implementing controls as our job, whether they're for financial traders or Sarbanes-Oxley or HIPAA or anything else. We spec out the software, we secure the systems, we manage the operations. And we tear our hair out when someone steals a password or exploits a security hole. We take it seriously. We take it personally. ... And the people we're working for? They don't. At least, some of them don't.
If you haven't kept up with the story, the French bank announced late last month that it lost roughly $7.2 million cleaning up the mess left by trader Jeremy Kerviel. From his job on the futures desk, the Associated Press says, Kerviel "invested the bank's own money by hedging on European equity market indices -- making bets on the future performance of the markets."
And as Hayes notes in Computerworld:
[Kerviel] knew how the [bank's] controls worked. And he knew they were designed to prevent traders from stealing from the bank, not to stop cheating that might score bigger profits.... [and] he knew that other traders were routinely cheating in similar ways and that management ignored it as long as the results were profitable in the end.
Even if IT puts the controls in place, he says, they do nothing if management won't control how they're used or abused.