PraxIS Feb. 2008

08-02 Contents: Société Générale, Direct Debit Fraud, Spreadsheet safety

ISSN 1649-2374 This issue online at   [Previous] [Index]  [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success



1) Risk & Security
    Societe Generale

2) Bank Direct Debit fraud
    Jeremy Clarkson's challenge taken up

3) Spreadsheets
    New certification on safe spreadsheeting being tested

4) Off Topic

15 Web links in this newsletter

About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

A single story this month, but what a story!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  Risk & Security

Société Générale loses annual profit

2008 started so well for SocGen, winning the Risk Magazine Awards 2008 for Equity Derivatives House of the Year

Then on January 24 it emerged that SocGen suffered the biggest rogue trading scandal in history, for which 31-year-old junior trader Jerome Kerviel has been charged. When the bank discovered  hidden trades on Jan. 19 and 20, it decided to close the positions in the market quickly. But this coincided with a market rout, and the bank ended up nursing losses of 4.9 billion euros -- close to its net 2006 profit.

The Register and are the usual sources for IT people to talk about these stories. Those who don't work in IT are probably better off not reading this; as the old saw goes "anyone who appreciates the law or sausage should never watch either being made" (Mark Twain? Otto von Bismark?)
How to lose $7.2bn with just a few Basic skillsSocGen: it could've happened anywhere - and still might
Dominic Connor wrote: "he was supposed to be an arbitrageur, someone who makes riskless profits by spotting things that have been given the wrong price. Instead he bet on prices going up and down. London firms have a rule that one is supposed to take a block of at least two weeks every year, but it's hardly enforced, and of course US workers hardly get any annual leave at all. His VBA skills would have helped him a lot to keep the illusion alive. ... most banks do not have [Excel jockeys] so you have untrained people helping each other. Knowing Excel, he would have been asked to sort out his colleagues' spreadsheets, and left sitting at their PCs able to execute any number of misdeeds while his colleague went off for lunch."

In the comments, 'Anonmyous Coward'  writes:
"Poor controls, tick in the box auditing, password sharing as standard, billions of dollars managed from excel, middle managers with all the nous of piece of  blutac, it's all true. I tell to people that if you knew what I knew you'd keep your money in a sock under your mattress. I almost mean it."
"I worked for a bank last year... Anyway, I was given root access to their systems, and they didn't even interview me before I started. ... The bank I work for have swallowed the draconian password policy hook, line and sinker meaning that their employees cannot possibly hope to mentally stay on top of the thirty or so constantly changing alphanumeric passwords they need to remember. Consequently, most people have a cheat cheet of passwords which are stored in a variety of places - from scraps of paper in unlocked desk drawers, to the password protected spreadsheet of them which I have on my computer desktop (excel spreadsheet passwords ain't exactly hard to break.) "
The BBC's business editor Robert Peston says "Bankers have confirmed that at the end of last year, Jerome Kerviel had generated a colossal hidden profit for the bank of 1.4bn euros .. Among the great mysteries of the Kerviel affair is how the French bank could have failed to notice a profit of that size."
When Kerviel's CV was published, it attracted some disdainful comments from experts with double PhDs in complex mathematics. It only claimed basic VBA skills.
"Skills: Microsoft Office Packge - Visual Basic
Development of management  tools (Excel VBA Macros)
Excel macro development for the Exotic Desk"$file/08005gb.pdf
The SocGen report on the fraud and the sequence of events after its discovery.
The Economist comments rather acidly on the management's way of handling previous alarms: "SocGen has plenty of internal cops at its high-security headquarters in the La Défense enclave of Paris. The bank's annual report for 2006 devotes 26 reassuring pages to its risk-management practices; more than 2,000 staff worked in the function that year, and lots more bodies were added in 2007. Yet none of them stopped Jérôme Kerviel, the trader accused of taking enormous unauthorised bets, from building an unhedged €50 billion exposure to European futures markets (Mr Kerviel reportedly alleges that his supervisors were aware of his activities). “When challenged, he was clever enough to say, for example, that he had made a mistake,” says Jean-Pierre Mustier, the head of SocGen's investment-banking  arm. Clever, indeed. "
"Certain internal control mechanisms at Societe Generale did not work and those that did were not always followed up with the appropriate changes," Finance Minister Christine Lagarde said. Lagarde was speaking after delivering a report on the debacle to Prime Minister Francois Fillon, in which she said the maximum fine for breach of banking rules, currently five million euros (7.4 million dollars), should be "substantially increased".   WikiPedia'a catalogue of losses


2) Bank Direct Debit fraud

Jeremy Clarkson, a particularly outspoken UK TV car show presenter, wrote in a Sunday Times column last year about the HMRC loss of CDs with the personal details of 7 million families: "I have never known such a palaver about nothing. The fact is we happily hand over cheques to all sorts of unsavoury people all day long without a moment's thought. We have nothing to fear." He then printed his bank details to try and make the point that his money would be safe and that the spectre of identity theft was a sham. On Jan 6, he told readers he had opened his bank statement to find a direct debit had been set up in his name to the British Diabetic Association and £500 taken out of his account.

According to other coverage, this is because the direct debit system transfers the responsibility for checking to the organisation submitting the direct debit, and guarantees that bank clients will be refunded if they claim they were wrongly charged.

The fact is, the information he gave out is on every cheque we sign, and if the shop asks us to write our home address and phone number on the back, we'll do that too. The point is, who has access to the information.


3) Spreadsheets

Just to close the link with the main topic this month , Denis Howlett comments  "On SocGen and spreadsheets: the similarities" 

and John Stokdyk also picked up on it in AccountingWeb: "Were spreadsheets a vehicle for the Societe Generale fraud?"

Safe Spreadsheeting

Last month, I delivered the first of a new course on spreadsheet safe practices with a certification scheme. This is being given a final shake down now, so we are looking for large companies with serious aims on spreadsheet controls to take part in the final tests of the assessment methods. Contact me, if your organisation is in Ireland or the UK and you feel the need to demonstrate to external auditors or regulators that you're taking a hard-nosed results-based approach to staff awareness training.


Spreadsheet Check and Control: 47 key skills to find and fix errors Available worldwide from Amazon.  Our offer - free shipping to EU .




Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

4) Off Topic

Schadenfreude   reports this link: 

Several Kerviel-dedicated websites have popped up, including ;,  and have been cybersquatted. Several video parodies of Société Générale and Kerviel are among the most popular hits on, the French video-sharing site.



Copyright (c) Systems Modelling Limited, . Reproduction allowed provided this copyright notice is included.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I moderate posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website