According to news reports from numerous sources, the trader,
Jerome Kerviel, had made billions for his bosses, which explains
why they turned a blind eye to his activities and turned off the
alert system. But when he lost a € 5 billion bet, he ended up in jail
and the company’s reputation was down the proverbial drain. I
have not heard if anyone in management ever lost a job or went
to jail, but the company is out € 5 billion.
What could a risk management practitioner have done?
(The entire story was published by Der Spiegel online at The
Der Spiegel article is online at http://www.spiegel.de/interna-
tional/business/0,1518,729155, 00.html.)
Closer to home, the Port Authority of New York and New
Jersey escaped responsibility for the first attack on the Trade
Centers in Manhattan when the New York Appeals Court, in a
split decision, decided the port authority was a government
agency and immune to civil suits.
According to a dissenting appeals court judge, Carmen
Beauchamp Ciparick, the port authority “solicited numerous
expert opinions on the security risks and measures to be con-
sidered before allocating its police resources” but then “security
decisions regarding the garage were made by civilian managers,
not law enforcement or security authorities.”
In the “to be fair” department, the port authority (like most
organizations) only had a limited amount of money to protect
the thousands of people working and visiting the skyscrap-
ers. Aside from bombings of small buildings in the U.S. – most
rural churches or schools – bombing buildings was not all that
common.
True, two truck bombs had gone off outside a military barracks
in Beirut in 1983, killing 299 Americans and other servicemen;
Islamic Jihad claimed responsibility. But that was overseas; such
things didn’t happen on U.S. soil. The Alfred P. Murrah Federal
Building in downtown Oklahoma City wasn’t brought down by
Timothy McVeigh and friends until April 19, 1995.
Lesson One: Unless the most senior executive -- in this case the
department secretary -- is obviously-to-all 100 percent behind the
plan, it is doomed before it starts.
Lesson Two: We brought in a certified practitioner from a Canadian
office as the technical lead, and she brought with her a huge red
binder full of “how to” instructions and forms to be completed by the
client’s staff.
We quickly learned that a packaged approach simply doesn’t
work. We looked at the red binder’s contents and quickly understood: leave the binder at home.
We did manage to complete the first part of the plan. We identified risks, made recommendations, and submitted our findings
to the client for review and determination of which recommendations to implement and on what schedule.
We waited and waited.
The client executive, or salesman, wanted to get the Phase 2
Restoration to business-as-usual part underway.
It never happened.
Management, in this case, apparently lost interest in protecting its assets, or perhaps, and I hope this is what happened, they
thought it could do the restoration part of the plan sans our expertise.
Management that simply isn’t there
It was a short, but certainly not sweet, engagement with a
major East Coast retail merchant.
The client’s requirements were simple:
Create and document a plan to move the company’s critical IT
resources -- not the business, just IT -- from its Virginia headquar-
ters to a temporary location several states to the south and back
after the event.
Pretty simple task.
There were perhaps 20 people assigned to the task, none of
whom were decision makers.
Meetings were called almost weekly for a month. The problem
was that none of the three decision makers ever showed up at a
meeting.
We could, and did, sit around talking about what should and
could be done to create and document the process, but since there
were no decision makers we never got the go-ahead on anything.
Moving south, when I was a fairly new practitioner, the company for which I worked won a contract to create an enterprise
business continuity plan for a state agency.
I learned two very important lessons from this engagement:
What is a practitioner to do?
The frustrating and sad part of all the foregoing is the reality
that, in the face of management’s actions, or inactions as the case
may be, there is not much a practitioner can do.
In the case of the Société Générale, aside from going to what-
ever authorities regulate trading in France, it would seem “not
much.”
In the Port Authority case, management escaped with little
more than censure from a lower court and three of seven judges
sitting as an appeals court.
Someone apparently shared the recommendations ignored by
the shipping company’s VP/MIS with the “admiral of the fleet”
(CEO) who ordered implementation of at least the more critical
of the recommendations and removed the obstructionist VP from
the scene.
The lesson of lack of Very Senior Management support is a
warning sign this practitioner watches very closely. If I see management give lukewarm support for the process, if able, I will
pass on the opportunity. For in-house practitioners, that may not
be possible.
All organizations have budgetary constraints. Practitioners
need to make every effort to get the most bang for every buck.
If there are low-cost options, explore them and be prepared to
present them side-by-side with the expensive alternatives.
I’ve worked with some excellent managers, men and women
who understood that risk management benefits everyone, from
staff, customers, vendors, and of course the shareholders.
Unfortunately, not all managers are in their class.
v
John Glenn ( JohnGlennMBCI.com) is an enterprise risk management/
business continuity practitioner with more than 13 years experience.
Glenn invites comments on this article and others at his Web site to
JohnGlennMBCI@gmail.com.
