I often ponder just how do you create a high-enough quality environment with superb-enough controls that you can make sure one out-of-control person can’t take down your whole organization.
I have four examples.
Most of them (but not all) had really good internal controls, great procedures, told their staff constantly what was acceptable, reminded staff of ethical and legal requirements. Some had rigorous internal monitoring procedures.
Yet one out-of-control person took out a bank, severely damaged another bank, and another individual came close to seriously hurting an international accounting firm. A group of people cost one company a guilty plea under the Foreign Corrupt Practices Act along with a hundred million dollar fine, deferred prosecution agreement, and tons of negative publicity. Let’s take a look at Barings Bank, KPMG, Société Générale, and HP.
Barings Bank trading losses
The bank was formed in ancient times, 1762 to be precise. The company was started before the United States existed. They survived multiple panics and the Great Depression.
Yet one trader, Nick Leeson, working out of the Singapore office sunk the company in 1995. His derivatives trading cost the company $1.3 billion, which was double their capital.
He had incompatible job positions, which allowed him to hide losses.
The poor controls should have been improved. Yet poor local oversight, failure of internal audit, and lack of higher level oversight took down a 232 year old bank.
I have a book on the bank’s failure somewhere in the garage, but it was easier refreshing my brain by checking Wikipedia.
How do you make sure you didn’t miss a weakness in your company that could let one rogue destroy your entire organization?
Insider trading at KPMG
I’ve written extensively on the insider trading conducted by Scott London, formerly audit partner-in-charge of the southwest region of KPMG.
The very short version is that KPMG, like all accounting firms, tells their staff repeatedly in many ways to guard confidential information. All CPAs know not to trade on client info. As a wild guess, he has probably heard that message several dozen times over the course of his now-terminated career. There’s no reason Mr. London wasn’t absolutely, completely aware what he was doing was wrong.
Yet he still traded on inside information.
He caused severe embarrassment to KPMG and cost them several lucrative audits.
It could have been worse.
If he had ‘lawyered up’, refused to ‘fess up, and held out for a plea deal with the feds, the damage to KPMG would have been severe. It could have cost them a lot of clients, with the resulting layoffs of staff and drops in partner’s income.
To cover a lot of ground very quickly, it seems to me KPMG did everything it could to prevent this disaster.
How do you make sure senior staff don’t do dumb stuff (that they absolutely know is wrong) which could seriously hurt your company, if not do it in?
Société Générale trading losses
In 2008, the French bank had a US$7.2 billion trading loss. The subsequent criminal trial found one trader, Jérôme Kerviel, responsible. He had no assistance. He apparently had a $73 billion portfolio he was trading.
Based on my recollection of news coverage at the time, he maneuvered his way through, in-between, and around a variety of internal controls. Some brief background at Wikipedia.
How do you make sure there isn’t some complex combination of internal control oddities that could allow one person to get into a mess that could threaten your survival?
HP’s felony guilty plea to violating the FCPA
Managers in three countries went wild with bribery payments to gain business.
The ending result is a guilty plea to a Foreign Corrupt Practices Act violation, lots of negative publicity, and a $108 million dollar fine. There is a deferred prosecution agreement with U.S. authorities for HP’s activity in one of the countries.
A WSJ article refers to some compliance and reporting obligations the company now has, although the details weren’t mentioned in the article. I’ll guess those requirements will costs millions of dollars per year.
Background from the Wall Street Journal: H-P to Pay $108 Million to Settle Bribery Case.
According to the article, the managers in Russia paid missions of dollars over 7 years to land a $100 million contract. They apparently set up a series of shell companies to create cover for dummy transactions.
In Poland, managers paid $600K in bribes to get a contract with the national police agency. They reportedly handed over bags of cash on four occasions. They got a contract worth $32 million a year. All that info according to the article.
Without doing any research, I am highly confident that HP is telling all their employees and especially their managers not to ever pay a bribe to get business. I am confident the message is sent clearly and repeatedly with lots of examples of what you can not do.
How do you make sure your middle managers don’t flout the rules you told them about over and over and over again?
Your business or ministry
The above examples may be far removed from your business or ministry.
Yet the risks remain.
In this era of widespread social media, twitter comments that can go viral in a matter of minutes, and extensive laws to obey, how do you keep one person from doing something horrible that can threaten the existence of your organization?
I don’t have any immediate answers.
What do you think?