Is 27001 to blame for the LIBOR fiasco?

The ongoing LIBOR saga has two dimensions.

One is political – how much is the story really about banks responding to Government pressure to rig the rate, once they had discovered how easy it was to do so?  We should note that the systemic rigging came after the banks had supposedly said they wanted reform because it was open to abuse.

The other is how such a key market rate came to be based on subjective inputs in the first place. I have had some profoundly worrying e-mails since I blogged on how Libor broke the first rule of information governance. The gist of these is that the rigging of LIBOR may be only the first of a series of scandals that will emerge because of the way the FSA promoted “self-policing” by those who could be “trusted” because they adhered to 27001 or had similar processes which enabled boxes to be ticked.

Lloyds (whose Head of Security for Digital Banking is facing fraud charges) is among those which boasts that it processes are based on 27001.  I remember favourably reviewing one of the first text books on how and why to implement 27001. About two years ago I lost faith. I now wonder if it is part of the problem, not the solution.

That is partly because so few people in organisations that have been certified have actually read the processes they are supposed to adhere to. In some cases that may also include the supposed authors, who copied the sections from elsewhere.

But it is more because of way it can distract attention from the collation and prioritisation of risk, particularly the risks that arise from the way staff are motivated.

Many years ago, as a Public Corporations Sector Comptroller in ICL, I was the only member of the sector management team not on any of the bonus schemes. My staff ran the order taking, debt chasing, expenses and bonus systems and I reported to the Finance Director, although I hardly ever saw him. We also checked the profitability and I approved those discounts in my power (over and above those the salesmen could offer) or supported the case for more (alongside the sector manager).

Had I and my staff also been on bonus I suspect we would have reported rather more sales, paid more expenses and the company would have been paid but its customers rather more slowly and written off more bad debt: all without considering that we were being actively dishonest.  
I doubt that those dealers who rigged Libor in their own interests (or that of their counterparts in other banks as part of “easing” the market) are any more, or less, (dis)honest than the average computer salesman (wanting a better deal for his customer and an easier relationship for the upgrade) – or the man in the street.

Clive in the Daily Telegraph sums up the role of those policing compliance in a way with which many of those in large organisations would, unfortunately, sympathise. The following day he equally succinctly, summed up the current state of information governance in most large organisations, not just the banks but those central government departments with bonus schemes as well.