José Esteves. Professor. IE Business School
6 November 2008
The collapse of Lehman Brothers or the fraudulent activities of a broker at Société Génerale reveal the chaos that reigns in banks’ internal control systems.
The world economic recession and, in particular, that of the banking and financial sector is giving rise to serious problems. Lehman Brothers was considered as one of the financial institutions with the best contingency plans and yet it was not enough to save it from collapse. Another clear example is that of Societe Generale, where internal controls were incapable of detecting the fraudulent activities of one of its brokers.
Some experts suggest that the internal controls of many institutions are nothing more than "mere plans on paper", that they are not operational, that they have never been tested and that employees "ignore them", with no monitoring process in place as far as the institution is concerned. This is paradoxical, since a control system is characterised by the presence of elements that make it possible to influence the way in which the system works. A control system must guarantee stability and, in particular, be impenetrable as far as model errors and interference are concerned. Furthermore, it must be as efficient as possible and comply with a preset criterion. Normally, this criterion consists of control over input variables being possible, thus preventing sharp practices.
We are all familiar with the theory, but why has it not worked in financial institutions? The real situation is that, in some cases, it has worked, but while they were earning succulent profits, many consultants and managers ignored breaches of their internal controls. There is also another reason why it has not worked: the lack of good institutional information management.
In Spain, most banks and financial institutions are not very familiar with their databases or with the information processed in their databases or who has access to it. On an internal scale, many Excel and Access databases are used and contain important critical data, but they are not controlled. There are thousands of these small databases, which are used mainly for reporting or data-analysis activities, and managers are not aware or do not measure the risks inherent to their use.
Corporate legal consultants register some of these files as required by the LOPD (Spanish Data Protection Law), but their passiveness when controlling and training employees in the use of these files means that several employees manage the databases and have access to critical data. In most companies, the problem is not caused by a note explaining that the data are to be used by the company, but rather by the use and processing of the data by companies.
Furthermore, the data are not integrated and much of the information is duplicated. Owing to the complexity of their information systems, some financial institutions in Spain take almost two months to obtain integrated data for their activities. How can you implement internal controls when you don´t even know who runs the databases? How can you make your employees responsible if you do not know what activities they carry out?
Without more professionalised information systems, stricter activity and access control measures and better data-processing, it is impossible to implement the internal controls that many institutions have or that is required by laws like Sarbanes-Oxley or Basle. Banks and financial institutions not only have to consider restructuring the banking model, but also rethinking and improving information systems in which chaos is king.